We use QRadar's wincollect for collecting windows event logs. During the process of windows server integration and since we might have different languages depend on the location (English, spanish or french) we encounter some problem with QRadar windows parser packages in languages other than English.
We're switching to Elastic SIEM and I wanna know how winlogbeat handles different languages. The only thing i found related to this was :
event.code
Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID.
So how does it handle it? is it on the XML Level ? are we gonna have issues with certain languages
or in the long run ?
I found your question interesting so I shipped from windows in Spanish and Korean language, just as an example.
Now I am not sure what you are trying to do, but basically for the moment, the Event ID field event.code is the key to unify these events together. Let me show you a screenshot, maybe that makes it clearer.
And now the the e.g. log levels are still in local language:
Apart from that it doesn't matter for tracking the SIEM itself as it is tracking down by some parameter like host name or the event.code as well, which are generalized by Elastic Common Schema.
Now we do have a generalized content generalization, but nothing stops you as well already at ingest level to translate certain information at ingest level in winlogbeat using script processors, which are very flexible: https://www.elastic.co/guide/en/beats/winlogbeat/master/processor-script.html
and migrate the fields into generalized content fields as well.
We already have right now a couple fields generalizing content and work on even doing that better using Common Event Model like ECS event categorization.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
