Hello,
I've been testing the new SIEM function, I've got 2 domain controllers/servers sending through logs via Winlogbeat and 4 client PCs sending logs again through the same method. When I check via dashboards or even just the 'winlogbeat*' stream, I am seeing all the information. On the SIEM however, it is not picking up the events from the servers/domain controllers. Just the logs from the 4 client PCs. Is there a way to get the SIEM function to recognize this?
Hi @sc1, do you mind pasting one of those events that is not showing up (e.g. just copy/paste it out of the JSON view in Discover)?
Hey Chris!
So in the last 15 minutes I've had 60,843 events come through winlogbeat but I don't see this being reflected on the SIEM app. On the hosts page, I only see the hosts sending via Auditbeat and the 4 client Windows 10 machines. None of the domain controllers are appearing:
{
"_index": "winlogbeat-6.5.4-2019.07.03",
"_type": "_doc",
"_id": "OSXat2sBiEqA9iJoAwMG",
"_version": 1,
"_score": null,
"_source": {
"host": {
"name": "XXXXXX"
},
"opcode": "Info",
"keywords": [
"Audit Success"
],
"task": "Logoff",
"thread_id": 4840,
"source_name": "Microsoft-Windows-Security-Auditing",
"computer_name": "XXXXXXX",
"tags": [
"beats_input_codec_plain_applied"
],
"@timestamp": "2019-07-03T12:40:45.234Z",
"message": "An account was logged off.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-3967722400-1698878302-1112778811-299679\n\tAccount Name:\t\tXXXXXXXX1$\n\tAccount Domain:\t\tXXXXXX\n\tLogon ID:\t\t0x50XXXXXX4\n\nLogon Type:\t\t\t3\n\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.",
"type": "wineventlog",
"@version": "1",
"process_id": 560,
"provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"record_number": "86679079",
"event_id": 4634,
"log_name": "Security",
"beat": {
"name": "XXXXX",
"hostname": "XXXXXX",
"version": "6.5.4"
},
"level": "Information",
"event_data": {
"TargetLogonId": "0x5006a2c4",
"TargetUserSid": "S-1-5-21-3967722400-1698878302-1112778811-299679",
"LogonType": "3",
"TargetUserName": "XXXXXXXXX$",
"TargetDomainName": "XXXXX"
}
},
"fields": {
"@timestamp": [
"2019-07-03T12:40:45.234Z"
]
},
"sort": [
1562157645234
]
}Ok, I have a suspicion, but just one more question: When you say that you don't see the events in the SIEM app, which widget are you not seeing it in? The Hosts lists (All Hosts), Events, or something else?
Cheers for the swift response Chris.
I don't see them in Overview and where it shows a table of Host Events in the last XX hours, for Winlogbeat the number is very minimal corresponding with the logs coming from the 4 Windows 10 machines. Where I should be seeing over 60 thousand, I am seeing 2000 or less. When I click on Hosts, it does not list any of the Windows servers. To test that this is the case, I went to the advanced settings and added metricbeat as a source, and now it's showing all the domain controllers. but these are from metricbeat and as such, they disappear when I remove it from the source list.
Ok, so it's weird that the host list table at the top of the Hosts tab is not showing the machines. It's aggregating on host.name which in your event is filled.
But for the Overview tab and the events table at the bottom of the Hosts page the problem is that both are relying on fields that are not filled by Winlogbeat prior to 7.0. The Overview tab relies on agent.type: winlogbeat and the events table on the presence of event.action.
We started filling these field when transitioning Winlogbeat to the Elastic Common Schema (ECS) in version 7.0. Your event seems to be from Winlogbeat 6.5.4. Can you update your Winlogbeat to 7.x, ideally the newest version 7.2.0?
If not, you could also try to fill both fields when ingesting the data, with a custom ingest pipeline. But really, the best and most future-proof thing to do would be to move to 7.x.
As a side note, even moving to 7.x might not show 100% of events from Winlogbeat in the events table. There are some events that do not have a task field (which we use to populate event.action). We're working on what to do in this case.
Hi Chris, I assumed this would be the case as I only noticed now that my beats on this environment are running behind. Thank you very much for the help!
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.