Just starting with Winlogbeat 6.6.2 on Server 2012 and ELK (on Ubuntu) and I think the message section of the Event is being sent in binary and not text. The sample of the section below is from the Winlogbeat log file in debug mode. Other sections (process_id, source_name, ObjectName, etc.) seem to be sent properly.
I've seen references to WECUTIL to change the format of the log (Rendered Text vs. Events), but I have no subscriptions defined when I invoke it with the es switch, nor am I forwarding from any other boxes.
Is this the normal format for the "message" portion of the event, or am I missing something in my setup?
Thank you in advance.
"message": "An attempt was made to access an object.\\u000d\\u000a\\u000d\\u000aSubject:\\u000d\\u000a\\u0009Security ID:\\u0009\\u0009S-3-9-54-659033-849752-895726-52082578-1836\\u000d\\u000a\\u0009Account Name:\\u0009\\u0009NAME\\u000d\\u000a\\u0009Account Domain:\\u0009\\u0009DOMAIN\\u000d\\u000a\\u0009Logon ID:\\u0009\\u00090x1E3DD61A6C\\u000d\\u000a\\u000d\\u000aObject:\\u000d\\u000a\\u0009Object Server:\\u0009\\u0009Security\\u000d\\u000a\\u0009Object Type:\\u0009\\u0009File\\u000d\\u000a\\u0009Object Name:\\u0009\\u0009I:\\FOLDER\\FOLDER\\FOLDER\\FOLDER\\FOLDER\\FILE.NAME\\u000d\\u000a\\u0009Handle ID:\\u0009\\u00090xa610\\u000d\\u000a\\u0009Resource Attributes:\\u0009S:AI\\u000d\\u000a\\u000d\\u000aProcess Information:\\u000d\\u000a\\u0009Process ID:\\u0009\\u00090x4\\u000d\\u000a\\u0009Process Name:\\u0009\\u0009\\u000d\\u000a\\u000d\\u000aAccess Request Information:\\u000d\\u000a\\u0009Accesses:\\u0009\\u0009WriteData (or AddFile)\\u000d\\u000a\\u0009\\u0009\\u0009\\u0009\\u000d\\u000a\\u0009Access Mask:\\u0009\\u00090x2",