I change winlogbeat-security.js file like below:
// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
// or more contributor license agreements. Licensed under the Elastic License;
// you may not use this file except in compliance with the Elastic License.
var security = (function () {
var path = require("path");
var processor = require("processor");
var winlogbeat = require("winlogbeat");
var logonTypes = {
"2": "Interactive",
"3": "Network",
"4": "Batch",
"5": "Service",
"7": "Unlock",
"8": "NetworkCleartext",
"9": "NewCredentials",
"10": "RemoteInteractive",
"11": "CachedInteractive",
};
var eventActionTypes = {
"4624": "Logon Success",
"4625": "Logon Failed",
"4634": "Logoff",
"4672": "Special Logon",
"4720": "Account Created",
"4722": "Account Enabled",
"4723": "Password Change",
"4724": "Password Reset",
"4725": "Account Disabled",
"4726": "Account Deleted",
"4738": "Account Changed",
"4740": "Account Locked Out",
"4767": "Account Unlocked",
"4781": "Account Renamed"
}
.............................................
.............................................
// Handles 4634 and 4647.
var logoff = new processor.Chain()
.Add(copyTargetUser)
.Add(copyTargetUserLogonId)
.Add(addLogonType)
.Add(addActionDesc)
.Build();
// Handles both 4624 and 4648.
var logonSuccess = new processor.Chain()
.Add(addAuthSuccess)
.Add(copyTargetUser)
.Add(copyTargetUserLogonId)
.Add(addLogonType)
.Add(renameCommonAuthFields)
.Add(addActionDesc)
.Build();
var event4625 = new processor.Chain()
.Add(addAuthFailed)
.Add(copyTargetUser)
.Add(copyTargetUserLogonId)
.Add(addLogonType)
.Add(addFailureCode)
.Add(addFailureStatus)
.Add(addFailureSubStatus)
.Add(renameCommonAuthFields)
.Add(addActionDesc)
.Build();
var event4672 = new processor.Chain()
.Add(copySubjectUser)
.Add(copySubjectUserLogonId)
.Add(function(evt) {
var privs = evt.Get("winlog.event_data.PrivilegeList");
if (!privs) {
return;
}
evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/));
})
.Add(addActionDesc)
.Build();
var userMgmtEvts = new processor.Chain()
.Add(copyTargetUser)
.Add(copySubjectUserLogonId)
.Add(renameCommonAuthFields)
.Add(addActionDesc)
.Build();
var userRenamed = new processor.Chain()
.Add(copyOldTargetUser)
.Add(copySubjectUserLogonId)
.Add(addActionDesc)
.Build();
return {
// 4624 - An account was successfully logged on.
4624: logonSuccess.Run,
// 4625 - An account failed to log on.
4625: event4625.Run,
// 4634 - An account was logged off.
4634: logoff.Run,
// 4647 - User initiated logoff.
4647: logoff.Run,
// 4648 - A logon was attempted using explicit credentials.
4648: logonSuccess.Run,
// 4672 - Special privileges assigned to new logon.
4672: event4672.Run,
// 4720 - A user account was created
4720: userMgmtEvts.Run,
// 4722 - A user account was enabled
4722: userMgmtEvts.Run,
// 4723 - An attempt was made to change an account's password
4723: userMgmtEvts.Run,
// 4724 - An attempt was made to reset an account's password
4724: userMgmtEvts.Run,
// 4725 - A user account was disabled.
4725: userMgmtEvts.Run,
// 4726 - An user account was deleted.
4726: userMgmtEvts.Run,
// 4738 - An user account was changed.
4738: userMgmtEvts.Run,
// 4767 - A user account was unlocked.
4767: userMgmtEvts.Run,
// 4740 - An account was locked out
4740: userMgmtEvts.Run,
// 4781 - The name of an account was changed.
4781: userRenamed.Run,
process: function(evt) {
var event_id = evt.Get("winlog.event_id");
var processor = this[event_id];
if (processor === undefined) {
return;
}
evt.Put("event.module", "security");
processor(evt);
},
};
})();
function process(evt) {
return security.process(evt);
}
Winlogbeat not run.
It shows this error:
Error 1053: The service did not respond to the start or control request in a timely fashion.
What is wrong?
Need help.
Thanks.