No event.category in Winlogbeat

Ronger03 · September 19, 2023, 10:03am

Hello,

I configured winlogbeat to send windows events to Logstash but I see no event.category field in the events received on Logstash.
Then I tried to debug by disable Logstash output, enable file output and still see the same issue. Anyone can help with this issue?

Logstash Configuration:

winlogbeat.event_logs:
  - name: Application
    ignore_older: 72h

  - name: System

  - name: Security

  - name: Microsoft-Windows-Sysmon/Operational

  - name: Windows PowerShell
    event_id: 400, 403, 600, 800

  - name: Microsoft-Windows-PowerShell/Operational
    event_id: 4103, 4104, 4105, 4106

  - name: ForwardedEvents
    tags: [forwarded]

output.file:
  path: C:\Users\Administrator\Downloads
  filename: winlogbeat

# ================================= Processors =================================
processors:
  - add_host_metadata:
      when.not.contains.tags: forwarded
  - add_cloud_metadata: ~

Winlogbeat file output:

{"@timestamp":"2023-09-19T09:53:00.603Z","@metadata":{"beat":"winlogbeat","type":"_doc","version":"8.9.2"},"winlog":{"record_id":751,"provider_name":"Microsoft-Windows-Sysmon","event_id":"1","process":{"pid":4480,"thread":{"id":6016}},"opcode":"Info","task":"Process Create (rule: ProcessCreate)","provider_guid":"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}","version":5,"event_data":{"ProcessId":"512","Product":"Winlogbeat","FileVersion":"8.9.2","OriginalFileName":"winlogbeat.exe","UtcTime":"2023-09-19 09:53:00.602","User":"NT AUTHORITY\\SYSTEM","LogonId":"0x3e7","TerminalSessionId":"0","ParentCommandLine":"C:\\Windows\\system32\\services.exe","ParentUser":"NT AUTHORITY\\SYSTEM","ProcessGuid":"{EBEE6886-6F7C-6509-E738-000000000700}","ParentProcessId":"628","Image":"C:\\Program Files\\Winlogbeat\\winlogbeat.exe","IntegrityLevel":"System","Company":"Elastic","CommandLine":"\"C:\\Program Files\\Winlogbeat\\winlogbeat.exe\" --environment=windows_service -c \"C:\\Program Files\\Winlogbeat\\winlogbeat.yml\" --path.home \"C:\\Program Files\\Winlogbeat\" --path.data \"C:\\ProgramData\\winlogbeat\" --path.logs \"C:\\ProgramData\\winlogbeat\\logs\" -E logging.files.redirect_stderr=true","RuleName":"technique=T1053.002,technique_name=At","ParentImage":"C:\\Windows\\System32\\services.exe","CurrentDirectory":"C:\\Windows\\system32\\","LogonGuid":"{EBEE6886-E603-64F5-E703-000000000000}","Hashes":"SHA1=5F2BB91DB9194142969FCF4D3F3DBE207D082A9D,MD5=9444244A68DDB09AA96006F8F50A1B23,SHA256=7B19B95ED56EA60F7E5367B0894AA3B0D43765F714C7DD504DD364A0EF77AAA9,IMPHASH=FF9F3A86709796C17211F9DF12AAE74D","Description":"Winlogbeat ships Windows event logs to Elasticsearch or Logstash.","ParentProcessGuid":"{EBEE6886-E603-64F5-0A00-000000000700}"},"api":"wineventlog","channel":"Microsoft-Windows-Sysmon/Operational","computer_name":"App02.tree.corp","user":{"identifier":"S-1-5-18","domain":"NT AUTHORITY","name":"SYSTEM","type":"User"}},**"event":{"action":"Process Create (rule: ProcessCreate)","created":"2023-09-19T09:53:58.366Z","code":"1","kind":"event","provider":"Microsoft-Windows-Sysmon"}**,"log":{"level":"information"},"message":"Process Create:\nRuleName: technique=T1053.002,technique_name=At\nUtcTime: 2023-09-19 09:53:00.602\nProcessGuid: {EBEE6886-6F7C-6509-E738-000000000700}\nProcessId: 512\nImage: C:\\Program Files\\Winlogbeat\\winlogbeat.exe\nFileVersion: 8.9.2\nDescription: Winlogbeat ships Windows event logs to Elasticsearch or Logstash.\nProduct: Winlogbeat\nCompany: Elastic\nOriginalFileName: winlogbeat.exe\nCommandLine: \"C:\\Program Files\\Winlogbeat\\winlogbeat.exe\" --environment=windows_service -c \"C:\\Program Files\\Winlogbeat\\winlogbeat.yml\" --path.home \"C:\\Program Files\\Winlogbeat\" --path.data \"C:\\ProgramData\\winlogbeat\" --path.logs \"C:\\ProgramData\\winlogbeat\\logs\" -E logging.files.redirect_stderr=true\nCurrentDirectory: C:\\Windows\\system32\\\nUser: NT AUTHORITY\\SYSTEM\nLogonGuid: {EBEE6886-E603-64F5-E703-000000000000}\nLogonId: 0x3E7\nTerminalSessionId: 0\nIntegrityLevel: System\nHashes: SHA1=5F2BB91DB9194142969FCF4D3F3DBE207D082A9D,MD5=9444244A68DDB09AA96006F8F50A1B23,SHA256=7B19B95ED56EA60F7E5367B0894AA3B0D43765F714C7DD504DD364A0EF77AAA9,IMPHASH=FF9F3A86709796C17211F9DF12AAE74D\nParentProcessGuid: {EBEE6886-E603-64F5-0A00-000000000700}\nParentProcessId: 628\nParentImage: C:\\Windows\\System32\\services.exe\nParentCommandLine: C:\\Windows\\system32\\services.exe\nParentUser: NT AUTHORITY\\SYSTEM","host":{"name":"app02","ip":["192.168.68.170","fe80::5efe:c0a8:44aa","fe80::ffff:ffff:fffe"],"mac":["00-00-00-00-00-00-00-E0","00-50-56-B8-1F-C3"],"hostname":"app02","architecture":"x86_64","os":{"build":"14393.447","type":"windows","platform":"windows","version":"10.0","family":"windows","name":"Windows Server 2016 Standard","kernel":"10.0.14393.447 (rs1_release_inmarket.161102-0100)"},"id":"ebee6886-8014-489c-8017-9bd6d91999f5"},"ecs":{"version":"8.0.0"},"agent":{"version":"8.9.2","ephemeral_id":"5abba7d0-3b63-4ff3-b548-8eaeb855162c","id":"3e15c645-8fd1-498c-923b-a323bacaca12","name":"App02","type":"winlogbeat"}}

Ronger03 · September 20, 2023, 2:37am

Any help?

leandrojmp · September 20, 2023, 3:35am

Hello and welcome,

Winlogbeat uses Elasticsearch Ingest pipelines to create some fields, the event.category field is created by the ingest pipelines, not by winlogbeat itself.

How did you configured your logstash output? You need to configure it as described in this documentation.

Ronger03 · September 20, 2023, 4:19am

Hi Leandro,

Thanks for your information. Let me try and let you know the result.

This seems new to me since the previous version of winlogbeat does not required this.

Ronger03 · September 20, 2023, 6:06am

Hi Leandro,

I tried to follow that but it didn't work.

My Ingest Pipelines:

image907×255 16.6 KB
My Logstash Configuration:

input {
  beats {
    port => 5044
  }
}

output {
  if [@metadata][pipeline] {
    elasticsearch {
      hosts => ["https://192.168.6.74:9200"]
      manage_template => false
      index => "%{[@metadata][beat]}-%{[@metadata][version]}"
      action => "create"
      pipeline => "%{[@metadata][pipeline]}"
      user => "elastic"
      password => "4XSqby_P8meRW5=Q"
      cacert => '/etc/logstash/http_ca.crt'
    }
  } else {
    elasticsearch {
      hosts => ["https://192.168.6.74:9200"]
      manage_template => false
      index => "%{[@metadata][beat]}-%{[@metadata][version]}"
      action => "create"
      user => "elastic"
      password => "4XSqby_P8meRW5=Q"
      cacert => '/etc/logstash/http_ca.crt'
    }
  }
}

Ronger03 · September 21, 2023, 2:49am

Anyone has any ideas on this?

Ronger03 · September 21, 2023, 8:33am

Restart elasticsearch service solve it.

Thansk Leandro!

system · October 19, 2023, 10:33am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.