Finding User Name & more

(Marcos Felix) #1

1st Question:
I am forwarding logs from my collector environment to Kibana using winlogbeat
I am interested in finding who done what.
When I check a log I look for the user that done that, and I can't find - maybe I have bad filtering?
I found this: Logon ID: 0xA42006C
which seems to be hexadecimal, but I can't decipher into proper text.
I guess i'd be looking on User Name, but can't find anything

2nd Question:
How can I forward logs from winevt/logs ? I was thinking of entering the logs path into yml or putting the saved logs so whenever someone opens the saved logs from that folder it will automatically load it into winlogbeat
Any clues?

(Jaime Soriano) #2


There should be some user.* fields with the information you are looking for. You can find in the documentation the list of fields collected.

To forward logs from files to Elasticsearch, you can use filebeat.

(Marcos Felix) #3

if my filebeat is located on the Linux server and the logs saved is on Windows - how can I link the filebeat to collect from windows?

(Jaime Soriano) #4

You can also install filebeat in Windows, indeed it is recommended to install beats directly in each one of the nodes you want to monitor or collect logs from.

(Andrew Kroh) #5

This doc explains the Logon ID and has other useful information about the fields contains in various events.

(Marcos Felix) #6

That clears it up thank you. im also guessing by installing it on windows it doesnt get int he way of the Linux one. also i am only interested in the windows logs so i guess i can delete the Linux filebeat and it wont affect my winlogbeat right?

(Marcos Felix) #7

Great read, thanks

(system) #8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.