No event.category in Winlogbeat

Hello,

I configured winlogbeat to send windows events to Logstash but I see no event.category field in the events received on Logstash.
Then I tried to debug by disable Logstash output, enable file output and still see the same issue. Anyone can help with this issue?

  • Logstash Configuration:
winlogbeat.event_logs:
  - name: Application
    ignore_older: 72h

  - name: System

  - name: Security

  - name: Microsoft-Windows-Sysmon/Operational

  - name: Windows PowerShell
    event_id: 400, 403, 600, 800

  - name: Microsoft-Windows-PowerShell/Operational
    event_id: 4103, 4104, 4105, 4106

  - name: ForwardedEvents
    tags: [forwarded]

output.file:
  path: C:\Users\Administrator\Downloads
  filename: winlogbeat

# ================================= Processors =================================
processors:
  - add_host_metadata:
      when.not.contains.tags: forwarded
  - add_cloud_metadata: ~

  • Winlogbeat file output:
{"@timestamp":"2023-09-19T09:53:00.603Z","@metadata":{"beat":"winlogbeat","type":"_doc","version":"8.9.2"},"winlog":{"record_id":751,"provider_name":"Microsoft-Windows-Sysmon","event_id":"1","process":{"pid":4480,"thread":{"id":6016}},"opcode":"Info","task":"Process Create (rule: ProcessCreate)","provider_guid":"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}","version":5,"event_data":{"ProcessId":"512","Product":"Winlogbeat","FileVersion":"8.9.2","OriginalFileName":"winlogbeat.exe","UtcTime":"2023-09-19 09:53:00.602","User":"NT AUTHORITY\\SYSTEM","LogonId":"0x3e7","TerminalSessionId":"0","ParentCommandLine":"C:\\Windows\\system32\\services.exe","ParentUser":"NT AUTHORITY\\SYSTEM","ProcessGuid":"{EBEE6886-6F7C-6509-E738-000000000700}","ParentProcessId":"628","Image":"C:\\Program Files\\Winlogbeat\\winlogbeat.exe","IntegrityLevel":"System","Company":"Elastic","CommandLine":"\"C:\\Program Files\\Winlogbeat\\winlogbeat.exe\" --environment=windows_service -c \"C:\\Program Files\\Winlogbeat\\winlogbeat.yml\" --path.home \"C:\\Program Files\\Winlogbeat\" --path.data \"C:\\ProgramData\\winlogbeat\" --path.logs \"C:\\ProgramData\\winlogbeat\\logs\" -E logging.files.redirect_stderr=true","RuleName":"technique=T1053.002,technique_name=At","ParentImage":"C:\\Windows\\System32\\services.exe","CurrentDirectory":"C:\\Windows\\system32\\","LogonGuid":"{EBEE6886-E603-64F5-E703-000000000000}","Hashes":"SHA1=5F2BB91DB9194142969FCF4D3F3DBE207D082A9D,MD5=9444244A68DDB09AA96006F8F50A1B23,SHA256=7B19B95ED56EA60F7E5367B0894AA3B0D43765F714C7DD504DD364A0EF77AAA9,IMPHASH=FF9F3A86709796C17211F9DF12AAE74D","Description":"Winlogbeat ships Windows event logs to Elasticsearch or Logstash.","ParentProcessGuid":"{EBEE6886-E603-64F5-0A00-000000000700}"},"api":"wineventlog","channel":"Microsoft-Windows-Sysmon/Operational","computer_name":"App02.tree.corp","user":{"identifier":"S-1-5-18","domain":"NT AUTHORITY","name":"SYSTEM","type":"User"}},**"event":{"action":"Process Create (rule: ProcessCreate)","created":"2023-09-19T09:53:58.366Z","code":"1","kind":"event","provider":"Microsoft-Windows-Sysmon"}**,"log":{"level":"information"},"message":"Process Create:\nRuleName: technique=T1053.002,technique_name=At\nUtcTime: 2023-09-19 09:53:00.602\nProcessGuid: {EBEE6886-6F7C-6509-E738-000000000700}\nProcessId: 512\nImage: C:\\Program Files\\Winlogbeat\\winlogbeat.exe\nFileVersion: 8.9.2\nDescription: Winlogbeat ships Windows event logs to Elasticsearch or Logstash.\nProduct: Winlogbeat\nCompany: Elastic\nOriginalFileName: winlogbeat.exe\nCommandLine: \"C:\\Program Files\\Winlogbeat\\winlogbeat.exe\" --environment=windows_service -c \"C:\\Program Files\\Winlogbeat\\winlogbeat.yml\" --path.home \"C:\\Program Files\\Winlogbeat\" --path.data \"C:\\ProgramData\\winlogbeat\" --path.logs \"C:\\ProgramData\\winlogbeat\\logs\" -E logging.files.redirect_stderr=true\nCurrentDirectory: C:\\Windows\\system32\\\nUser: NT AUTHORITY\\SYSTEM\nLogonGuid: {EBEE6886-E603-64F5-E703-000000000000}\nLogonId: 0x3E7\nTerminalSessionId: 0\nIntegrityLevel: System\nHashes: SHA1=5F2BB91DB9194142969FCF4D3F3DBE207D082A9D,MD5=9444244A68DDB09AA96006F8F50A1B23,SHA256=7B19B95ED56EA60F7E5367B0894AA3B0D43765F714C7DD504DD364A0EF77AAA9,IMPHASH=FF9F3A86709796C17211F9DF12AAE74D\nParentProcessGuid: {EBEE6886-E603-64F5-0A00-000000000700}\nParentProcessId: 628\nParentImage: C:\\Windows\\System32\\services.exe\nParentCommandLine: C:\\Windows\\system32\\services.exe\nParentUser: NT AUTHORITY\\SYSTEM","host":{"name":"app02","ip":["192.168.68.170","fe80::5efe:c0a8:44aa","fe80::ffff:ffff:fffe"],"mac":["00-00-00-00-00-00-00-E0","00-50-56-B8-1F-C3"],"hostname":"app02","architecture":"x86_64","os":{"build":"14393.447","type":"windows","platform":"windows","version":"10.0","family":"windows","name":"Windows Server 2016 Standard","kernel":"10.0.14393.447 (rs1_release_inmarket.161102-0100)"},"id":"ebee6886-8014-489c-8017-9bd6d91999f5"},"ecs":{"version":"8.0.0"},"agent":{"version":"8.9.2","ephemeral_id":"5abba7d0-3b63-4ff3-b548-8eaeb855162c","id":"3e15c645-8fd1-498c-923b-a323bacaca12","name":"App02","type":"winlogbeat"}}

Any help?

Hello and welcome,

Winlogbeat uses Elasticsearch Ingest pipelines to create some fields, the event.category field is created by the ingest pipelines, not by winlogbeat itself.

How did you configured your logstash output? You need to configure it as described in this documentation.

Hi Leandro,

Thanks for your information. Let me try and let you know the result.

This seems new to me since the previous version of winlogbeat does not required this.

Hi Leandro,

I tried to follow that but it didn't work.

input {
  beats {
    port => 5044
  }
}

output {
  if [@metadata][pipeline] {
    elasticsearch {
      hosts => ["https://192.168.6.74:9200"]
      manage_template => false
      index => "%{[@metadata][beat]}-%{[@metadata][version]}"
      action => "create"
      pipeline => "%{[@metadata][pipeline]}"
      user => "elastic"
      password => "4XSqby_P8meRW5=Q"
      cacert => '/etc/logstash/http_ca.crt'
    }
  } else {
    elasticsearch {
      hosts => ["https://192.168.6.74:9200"]
      manage_template => false
      index => "%{[@metadata][beat]}-%{[@metadata][version]}"
      action => "create"
      user => "elastic"
      password => "4XSqby_P8meRW5=Q"
      cacert => '/etc/logstash/http_ca.crt'
    }
  }
}

Anyone has any ideas on this?

Restart elasticsearch service solve it.

Thansk Leandro!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.