Finding User Name & more

Marcos_Felix · July 13, 2018, 12:25pm

Hello,
1st Question:
I am forwarding logs from my collector environment to Kibana using winlogbeat
I am interested in finding who done what.
When I check a log I look for the user that done that, and I can't find - maybe I have bad filtering?
I found this: Logon ID: 0xA42006C
which seems to be hexadecimal, but I can't decipher into proper text.
I guess i'd be looking on User Name, but can't find anything

2nd Question:
How can I forward logs from winevt/logs ? I was thinking of entering the logs path into yml or putting the saved logs so whenever someone opens the saved logs from that folder it will automatically load it into winlogbeat
Any clues?
Thanks

jsoriano · July 13, 2018, 5:48pm

Hi,

There should be some user.* fields with the information you are looking for. You can find in the documentation the list of fields collected.

To forward logs from files to Elasticsearch, you can use filebeat.

Marcos_Felix · July 16, 2018, 8:22am

if my filebeat is located on the Linux server and the logs saved is on Windows - how can I link the filebeat to collect from windows?

jsoriano · July 16, 2018, 3:57pm

You can also install filebeat in Windows, indeed it is recommended to install beats directly in each one of the nodes you want to monitor or collect logs from.

andrewkroh · July 16, 2018, 10:41pm

This doc explains the Logon ID and has other useful information about the fields contains in various events.

github.com

MicrosoftDocs/windows-itpro-docs/blob/main/windows/security/threat-protection/auditing/event-4624.md

---
title: 4624(S) An account was successfully logged on. (Windows 10)
description: Describes security event 4624(S) An account was successfully logged on.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
ms.date: 04/19/2017
ms.reviewer: 
manager: dansimp
ms.author: dansimp
---

# 4624(S): An account was successfully logged on.

**Applies to**
-   Windows 10
-   Windows Server 2016

This file has been truncated. show original

Marcos_Felix · July 17, 2018, 8:12am

That clears it up thank you. im also guessing by installing it on windows it doesnt get int he way of the Linux one. also i am only interested in the windows logs so i guess i can delete the Linux filebeat and it wont affect my winlogbeat right?

Marcos_Felix · July 17, 2018, 8:19am

Great read, thanks

system · August 14, 2018, 8:19am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.