I want event ID 4104 (PowerShell scriptblock logging) to populate the username in the user.name field. What is the best way to get the username to populate into the user.name field in Elasticsearch? Event IDs 4688 and 1 (process create native and Sysmon) put the username in the user.name field, but…

I found a solution: I added the following to the winlogbeat.yml processors section for the ForwardedEvents log. - copy_fields: when.equals.winlog.channel: Microsoft-Windows-PowerShell/Operational fields: - from: winlog.user.name to: user.name fail…

Discuss the Elastic Stack

User.name field for event ID 4104

Elastic Stack Beats

system (system) Closed May 20, 2020, 4:06pm 3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Copy winlog.user.name (if present) to user.name (if missing) Beats winlogbeat	6	754	May 25, 2020
Fields not populated Beats winlogbeat	4	944	August 7, 2019
Field is not renaming Logstash	6	368	August 26, 2020
Winlogbeat user.name is missing in event 4634 (Logoff Event) - ECS Missing Correlation Beats winlogbeat	11	1531	September 3, 2019
How catch "user.name" parameter from winlog with logstash Logstash	6	202	October 26, 2023

Elasticsearch is a trademark of Elasticsearch BV, registered in the U.S. and in other countries
Trademarks
Terms
Privacy
Brand
Code of Conduct

Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.

User.name field for event ID 4104

Related topics