Generically named event_data.paramN on Windows XP and 2003

tuankun · April 5, 2016, 6:40am

Hi sir,
I installed the winlogbeat 1.2 on windows server 2003 to collect security log,then transfer to ELK.
But I found a problem,winlogbeat 1.2 will take the "Description" section data into the "message" field in ELK. it did not divide the sub-attribute into independent field,such as "User Name",Logon ID","Source Network Address" and so on.
also I tested the winlogbeat v5 test version,it could divide the sub-attribute into independent field,but the field name of the sub-attribute will be like "event_data.param1","event_data.param2","event_data.param3"....,not the correct name.

Could anyone help me ? thanks you so much.

security log:
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 528
Date: 4/5/2016
Time: 1:39:09 PM
User: SERVER01\Administrator
Computer: CNKUSBK1
Description:
Successful Logon:
** User Name: Administrator**
** Domain: CNKUSBK1**
** Logon ID: (0x2,0x1F7BC1FF)**
** Logon Type: 10**
** Logon Process: User32 **
** Authentication Package: Negotiate**
** Workstation Name: SERVER01**
** Logon GUID: -**
** Caller User Name: SERVER01$**
** Caller Domain: WORKGROUP**
** Caller Logon ID: (0x0,0x3E7)**
** Caller Process ID: 216**
** Transited Services: -**
** Source Network Address: 192.168.1.100**
** Source Port: 53831**

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

andrewkroh · April 5, 2016, 5:28pm

Winlogbeat 1.2 does not provide the event_data field. That was introduced in v5.

Unfortunately, in Windows 2000, XP, and 2003 the message parameters are not named. The message associated with an event is stored as a template in a DLL or EXE file like "File %1 contains %2 which is in error." When an application logs an event it just provides an array of parameters (see NumStrings in EVENTLOGRECORD) and the parameters get substituted into the message template by index number.

Because the parameters are unnamed and there is no guaranteed format to the message template, Winlogbeat cannot provide descriptive names for these fields. You could use Logstash to rename the event_data.paramN fields to a more descriptive name on a per event ID basis.

Windows Vista and newer switched to a new format for the event log records where the parameters are named.

tuankun · April 6, 2016, 12:24am

thank you so much,andrewkroh,have you the time to release the stable version of winlogbeat v5? I can hardly wait.

andrewkroh · April 6, 2016, 12:40am

I don't have a date for the 5.0 GA. We released 5.0.0-alpha1 today and there will be few more releases prior to GA.

tuankun · April 6, 2016, 1:48am

Got it, I will test winlogbeat 5.0.0-alpha1,if no error，I will deploy it on all our our producation servers,thanks~~

dickepa · April 12, 2016, 11:24am

Hi Andrew, I have tried winlogbeat-5.0.0-alpha1-windows 64 but it's not sending data to my ELK stack. When I run it I do so using powershell run as admin "winlogbeat.exe -c winlogbeat.yml" and it seems to run without error message! However difficult to say since the cursor in ps just sits there and i am unable to see if winlogbeat is running in services.msc or get-service in powershell. All I know is that no data is being received.

Can you please advise more comprehensive instructions than the advice provided on the download page?

Thanks Paul

andrewkroh · April 12, 2016, 1:21pm

@dickepa, please start a new topic as I think this is mostly unrelated to the question here. For "comprehensive instructions" see the Getting Started section in the documentation. You need to use -e and -v to get more verbose output to the console (and for really verbose output add -d "*").