Hello,
I configured winlogbeat to send windows events to Logstash but I see no event.category field in the events received on Logstash.
Then I tried to debug by disable Logstash output, enable file output and still see the same issue. Anyone can help with this issue?
- Logstash Configuration:
winlogbeat.event_logs:
- name: Application
ignore_older: 72h
- name: System
- name: Security
- name: Microsoft-Windows-Sysmon/Operational
- name: Windows PowerShell
event_id: 400, 403, 600, 800
- name: Microsoft-Windows-PowerShell/Operational
event_id: 4103, 4104, 4105, 4106
- name: ForwardedEvents
tags: [forwarded]
output.file:
path: C:\Users\Administrator\Downloads
filename: winlogbeat
# ================================= Processors =================================
processors:
- add_host_metadata:
when.not.contains.tags: forwarded
- add_cloud_metadata: ~
- Winlogbeat file output:
{"@timestamp":"2023-09-19T09:53:00.603Z","@metadata":{"beat":"winlogbeat","type":"_doc","version":"8.9.2"},"winlog":{"record_id":751,"provider_name":"Microsoft-Windows-Sysmon","event_id":"1","process":{"pid":4480,"thread":{"id":6016}},"opcode":"Info","task":"Process Create (rule: ProcessCreate)","provider_guid":"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}","version":5,"event_data":{"ProcessId":"512","Product":"Winlogbeat","FileVersion":"8.9.2","OriginalFileName":"winlogbeat.exe","UtcTime":"2023-09-19 09:53:00.602","User":"NT AUTHORITY\\SYSTEM","LogonId":"0x3e7","TerminalSessionId":"0","ParentCommandLine":"C:\\Windows\\system32\\services.exe","ParentUser":"NT AUTHORITY\\SYSTEM","ProcessGuid":"{EBEE6886-6F7C-6509-E738-000000000700}","ParentProcessId":"628","Image":"C:\\Program Files\\Winlogbeat\\winlogbeat.exe","IntegrityLevel":"System","Company":"Elastic","CommandLine":"\"C:\\Program Files\\Winlogbeat\\winlogbeat.exe\" --environment=windows_service -c \"C:\\Program Files\\Winlogbeat\\winlogbeat.yml\" --path.home \"C:\\Program Files\\Winlogbeat\" --path.data \"C:\\ProgramData\\winlogbeat\" --path.logs \"C:\\ProgramData\\winlogbeat\\logs\" -E logging.files.redirect_stderr=true","RuleName":"technique=T1053.002,technique_name=At","ParentImage":"C:\\Windows\\System32\\services.exe","CurrentDirectory":"C:\\Windows\\system32\\","LogonGuid":"{EBEE6886-E603-64F5-E703-000000000000}","Hashes":"SHA1=5F2BB91DB9194142969FCF4D3F3DBE207D082A9D,MD5=9444244A68DDB09AA96006F8F50A1B23,SHA256=7B19B95ED56EA60F7E5367B0894AA3B0D43765F714C7DD504DD364A0EF77AAA9,IMPHASH=FF9F3A86709796C17211F9DF12AAE74D","Description":"Winlogbeat ships Windows event logs to Elasticsearch or Logstash.","ParentProcessGuid":"{EBEE6886-E603-64F5-0A00-000000000700}"},"api":"wineventlog","channel":"Microsoft-Windows-Sysmon/Operational","computer_name":"App02.tree.corp","user":{"identifier":"S-1-5-18","domain":"NT AUTHORITY","name":"SYSTEM","type":"User"}},**"event":{"action":"Process Create (rule: ProcessCreate)","created":"2023-09-19T09:53:58.366Z","code":"1","kind":"event","provider":"Microsoft-Windows-Sysmon"}**,"log":{"level":"information"},"message":"Process Create:\nRuleName: technique=T1053.002,technique_name=At\nUtcTime: 2023-09-19 09:53:00.602\nProcessGuid: {EBEE6886-6F7C-6509-E738-000000000700}\nProcessId: 512\nImage: C:\\Program Files\\Winlogbeat\\winlogbeat.exe\nFileVersion: 8.9.2\nDescription: Winlogbeat ships Windows event logs to Elasticsearch or Logstash.\nProduct: Winlogbeat\nCompany: Elastic\nOriginalFileName: winlogbeat.exe\nCommandLine: \"C:\\Program Files\\Winlogbeat\\winlogbeat.exe\" --environment=windows_service -c \"C:\\Program Files\\Winlogbeat\\winlogbeat.yml\" --path.home \"C:\\Program Files\\Winlogbeat\" --path.data \"C:\\ProgramData\\winlogbeat\" --path.logs \"C:\\ProgramData\\winlogbeat\\logs\" -E logging.files.redirect_stderr=true\nCurrentDirectory: C:\\Windows\\system32\\\nUser: NT AUTHORITY\\SYSTEM\nLogonGuid: {EBEE6886-E603-64F5-E703-000000000000}\nLogonId: 0x3E7\nTerminalSessionId: 0\nIntegrityLevel: System\nHashes: SHA1=5F2BB91DB9194142969FCF4D3F3DBE207D082A9D,MD5=9444244A68DDB09AA96006F8F50A1B23,SHA256=7B19B95ED56EA60F7E5367B0894AA3B0D43765F714C7DD504DD364A0EF77AAA9,IMPHASH=FF9F3A86709796C17211F9DF12AAE74D\nParentProcessGuid: {EBEE6886-E603-64F5-0A00-000000000700}\nParentProcessId: 628\nParentImage: C:\\Windows\\System32\\services.exe\nParentCommandLine: C:\\Windows\\system32\\services.exe\nParentUser: NT AUTHORITY\\SYSTEM","host":{"name":"app02","ip":["192.168.68.170","fe80::5efe:c0a8:44aa","fe80::ffff:ffff:fffe"],"mac":["00-00-00-00-00-00-00-E0","00-50-56-B8-1F-C3"],"hostname":"app02","architecture":"x86_64","os":{"build":"14393.447","type":"windows","platform":"windows","version":"10.0","family":"windows","name":"Windows Server 2016 Standard","kernel":"10.0.14393.447 (rs1_release_inmarket.161102-0100)"},"id":"ebee6886-8014-489c-8017-9bd6d91999f5"},"ecs":{"version":"8.0.0"},"agent":{"version":"8.9.2","ephemeral_id":"5abba7d0-3b63-4ff3-b548-8eaeb855162c","id":"3e15c645-8fd1-498c-923b-a323bacaca12","name":"App02","type":"winlogbeat"}}