Hello everybody,
I'm new working with the ELK stack.
Actually I realized that it seems to be impossible to get the details of events with Winlogbeat.
Only the General (or System in XML view) section is parsed.
Did I miss any configuration setting or is this planned for future versions?
Thanks
Sebastian
Hi @snbart1, the EventData is incorporated into the message string, but the raw EventData fields are not included in the event. IMO this is the most important feature to add next. Related: https://github.com/elastic/beats/pull/689#issuecomment-172583954 and https://github.com/elastic/beats/issues/1053
Hi Andrew,
thanks for your quick reply.
What's the rough timeline until seeing this implemented?
It will probably be released in 5.1. We are about to feature freeze for 5.0 so this isn't going to be ready for that release.
Over the weekend I experimented with getting the EventData from the Windows APIs. It seems pretty simple if I get the event as XML and parse the data. It shouldn't take too long to implement, but I'll need to do some testing to see how XML parsing impacts performance. You can subscribe to https://github.com/elastic/beats/issues/1053 if you want to follow progress on the issue. Once the feature is implemented it will be available in development builds if you want to test/try it before the official release.
Hi @snbart1, this has been implemented. See my message here: Winlogbeat and User sessions (parsing fields from message)
Great to hear.
Will give it a try for sure
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.