I installed the winlogbeat 1.2 on windows server 2003 to collect security log,then transfer to ELK.
But I found a problem,winlogbeat 1.2 will take the "Description" section data into the "message" field in ELK. it did not divide the sub-attribute into independent field,such as "User Name",Logon ID","Source Network Address" and so on.
also I tested the winlogbeat v5 test version,it could divide the sub-attribute into independent field,but the field name of the sub-attribute will be like "event_data.param1","event_data.param2","event_data.param3"....,not the correct name.
Could anyone help me ? thanks you so much.
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 528
Time: 1:39:09 PM
** User Name: Administrator**
** Domain: CNKUSBK1**
** Logon ID: (0x2,0x1F7BC1FF)**
** Logon Type: 10**
** Logon Process: User32 **
** Authentication Package: Negotiate**
** Workstation Name: SERVER01**
** Logon GUID: -**
** Caller User Name: SERVER01$**
** Caller Domain: WORKGROUP**
** Caller Logon ID: (0x0,0x3E7)**
** Caller Process ID: 216**
** Transited Services: -**
** Source Network Address: 192.168.1.100**
** Source Port: 53831**
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.