Problems with bad authentification logs on windows

hash-ill · May 9, 2018, 10:16am

Hi everybody,
I'm new here and i have few questions.
First, I install ELK with X-pack and I have some problem:
My authentifications fails does not appears on my discover menu in kibana. When I fail authentification, the log is interpreted like an "audit success" and the event id is "4624" who's match with a good authentification Id.
I don't get why the bad authentification logs are interpreted like a good authentification.
IDK if it's a bad interpretation on kibana or a problem in winlogbeats.
thanks for you responses
Ps: excuse my english i'm french

exekias · May 9, 2018, 10:27am

Hi @hash-ill,

Could you please paste winlogbeat logs to check what's going on?

Best regards

hash-ill · May 9, 2018, 12:19pm

capture%20log%20windows

first, thanks for you response, i give your the windows log in windows and inn kibana.
The same event but big differences in the interpretation.
Best regards

andrewkroh · May 9, 2018, 8:01pm

Can you share the raw XML view of the event. To get the XML included in the event for debugging you need to add include_xml: true to your config. Then you can see the raw XML in Kibana that Windows provides to Winlogbeat. You can see some examples of the conversion here.

From the XML, Winlogbeat uses the RenderingInfo.Level value for its level value. If that field isn't present then it falls back to using the numeric Level value and converts it to text based on the table defined for event type values.

hash-ill · May 11, 2018, 2:30pm

Thanks for your respons @andrewkroh, i don't know where i find the raw xml, i change the kibana.yml file as you said and i can't use kibana after that.
I don't undestand why just a line like this is so influent. In fact the kibana service run (so there is no syntax error on my line) but i can't access to the kibana interface on the web.

andrewkroh · May 11, 2018, 3:40pm

I never said to modify a kibana.yml. I want to you to add include_xml: true to your Winlogbeat configuration (the link I gave points to the Winlogbeat documentation and shows an example of how your winlogbeat.yml should look when you use include_xml: true).

winlogbeat.event_logs:
  - name: Security
    include_xml: true

Then after adding making this change to Winlogbeat, events from the Security log will include a field named xml.

hash-ill · May 14, 2018, 10:13am

My bad, i wasn't understood this. I test this and it works, thank you very much.

system · June 11, 2018, 10:13am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.