winlogbeat version 5.6.1
config winlonbeat.yml
winlogbeat: registry_file: C:/ProgramData/winlogbeat/.winlogbeat.yml event_logs: - name: Application output.logstash: # The Logstash hosts hosts: ["host:port"]
config on logstash side
input { beats { port => port }} output { elasticsearch { hosts => ["localhost:9200"] sniffing => true manage_template => false index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}" document_type => "%{[@metadata][type]}" } stdout { codec => rubydebug } }
==================winlogbeat output================
2017/09/22 10:58:41.642698 client.go:214: DBG Publish: { "@timestamp": "2015-08-09T13:03:01.000Z", "beat": { "hostname": "hostname", "name": "hostname", "version": "5.6.1" }, "computer_name": "x.y.z.com", "event_data": { "Binary": "7B39363345354645422D313336372D343642392D383531442D413935374631413 3373437467D303030306337303938643436333465336636326338626663396234646633386137363 4653030303030393034", "param1": "Microsoft Network Monitor: NetworkMonitor Parsers 3.4", "param2": "3.4.2350.0", "param3": "1033", "param4": "0", "param5": "Microsoft Corporation", "param6": "(NULL)" }, "event_id": 1035, "keywords": [ "Classic" ], "level": "Information", "log_name": "Application", "message": "Windows Installer reconfigured the product. Product Name: Microsof t Network Monitor: NetworkMonitor Parsers 3.4. Product Version: 3.4.2350.0. Prod uct Language: 1033. Manufacturer: Microsoft Corporation. Reconfiguration success or error status: 0.", "opcode": "Info", "record_number": "16758", "source_name": "MsiInstaller", "type": "wineventlog", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", "name": "SYSTEM", "type": "Well Known Group" }
==================logstash output==================
{ "computer_name" => "x.y.z.com", "message-raw" => "%{logmessage}", "syslog_source-IP" => "x.y.z.com", "syslog_severity_code" => 5, "keywords" => [ [0] "Classic" ], "log_name" => "Application", "level" => "Information", "record_number" => "16659", "syslog_facility" => "user-level", "syslog_facility_code" => 1, "event_data" => { "param5" => "Microsoft Corporation", "param6" => "(NULL)", "Binary" => "7B33383334413930352D354343312D343534442D384341342D4143343439463132373735447D3030303064393930613738353432623338326234313262636639386631666531636235333030303030393034", "param3" => "1033", "param4" => "0", "param1" => "Micros10.0" }, "opcode" => "Info", "syslog_severity" => "notice", "tags" => [ [0] "beats_input_codec_plain_applied" ], "@timestamp" => 2015-08-09T04:03:02.000Z, "event_id" => 1035, "beat" => { "name" => "hostname", "hostname" => "hostname", "version" => "5.6.1" }, "user" => { "name" => "SYSTEM", "identifier" => "S-1-5-18", "type" => "Well Known Group", "domain" => "NT AUTHORITY" }, "source_name" => "MsiInstaller" }oft System Center Virtual Machine Manager DHCP Server (x64)", "param2" => "3.2.7510.0" }, "opcode" => "Info", "syslog_severity" => "notice", "tags" => [ [0] "beats_input_codec_plain_applied" ], "@timestamp" => 2015-08-09T04:03:02.000Z, "event_id" => 1035, "beat" => { "name" => "hostname", "hostname" => "hostname", "version" => "5.6.1" }, "user" => { "name" => "SYSTEM", "identifier" => "S-1-5-18", "type" => "Well Known Group", "domain" => "NT AUTHORITY" }, "source_name" => "MsiInstaller" }
Any ideas - why that happens?