Winlogbeat 7.0 not dropping events

VamPikmin · April 15, 2019, 3:23am

Since the upgrade I have noticed winlogbeat is ingesting event ids other than specified in the config file. I also see some new fields are created like event.code and winlog.event_id, while the event_id is not showing after I've refreshed the winlogbeat index
I tried changing even_id to winlog.event_id and restarting winlogbeat but hasn't made a difference

# https://go.es.io/WinlogbeatConfig
winlogbeat.event_logs:
  #- name: Application
  #  ignore_older: 72h
  - name: Security
  #event_id: ...
  #  event_id: 4624,4625,4634,4648,4672,4768,4769,4778,4779,4932,4933,5058,5061,4740,6272,6273,6274,6275,6276,6277,6278,6279,6280 
processors:
- drop_event.when.not.or:    #27
  - equals.event_id: 4624
  - equals.event_id: 4625
  - equals.event_id: 4634
  - equals.event_id: 4648
  - equals.event_id: 4672
  - equals.event_id: 4722 #account enabled
  - equals.event_id: 4725 #account disabled
  - equals.event_id: 4740
  - equals.event_id: 4767 #account unlocked
  - equals.event_id: 4768
  - equals.event_id: 4769
  - equals.event_id: 4778
  - equals.event_id: 4779
  - equals.event_id: 4932
  - equals.event_id: 4933
  - equals.event_id: 5058
  - equals.event_id: 5061
  - equals.event_id: 6272
  - equals.event_id: 6273
  - equals.event_id: 6274
  - equals.event_id: 6275
  - equals.event_id: 6276
  - equals.event_id: 6277
  - equals.event_id: 6278
  - equals.event_id: 6279
  - equals.event_id: 6280
  #- name: System

I've been playing with this all day and can't get it to work, even with just 4624 and 4625 I get nothing in the log, tcpdump shows no data being sent

PS C:\Program Files\winlogbeat> .\winlogbeat.exe -e -d "processors"
2019-04-15T19:06:52.593+1000 INFO instance/beat.go:571 Home path: [C:\Program Files\winlogbeat] Config path: [C
:\Program Files\winlogbeat] Data path: [C:\Program Files\winlogbeat\data] Logs path: [C:\Program Files\winlogbeat\logs]
2019-04-15T19:06:52.595+1000 INFO instance/beat.go:579 Beat ID: 3e3ce622-f941-4b3e-b115-ead932f1eb61
2019-04-15T19:06:52.595+1000 INFO [index-management.ilm] ilm/ilm.go:129 Policy name: winlogbeat-7.0.0
2019-04-15T19:06:52.595+1000 DEBUG [processors] processors/processor.go:66 Processors: drop_event, conditio
n=!equals: map[event_id:{0 4624 false}] or equals: map[event_id:{0 4625 false}]
2019-04-15T19:06:52.595+1000 INFO [beat] instance/beat.go:827 Beat info {"system_info": {"beat": {"path"
: {"config": "C:\Program Files\winlogbeat", "data": "C:\Program Files\winlogbeat\data", "home": "C:\Program Files
\winlogbeat", "logs": "C:\Program Files\winlogbeat\logs"}, "type": "winlogbeat", "uuid": "3e3ce622-f941-4b3e-b115-ead
932f1eb61"}}}
2019-04-15T19:06:52.596+1000 INFO [beat] instance/beat.go:836 Build info {"system_info": {"build": {"comm
it": "da192b7d09af1d735cef19ea7816b8b8a5d4a323", "libbeat": "7.0.0", "time": "2019-04-05T22:07:31.000Z", "version": "7.0
.0"}}}
2019-04-15T19:06:52.596+1000 INFO [beat] instance/beat.go:839 Go runtime info {"system_info": {"go": {"os":"wi
ndows","arch":"amd64","max_procs":2,"version":"go1.11.5"}}}
2019-04-15T19:06:52.607+1000 INFO [beat] instance/beat.go:843 Host info {"system_info": {"host": {"archi
tecture":"x86_64","boot_time":"2019-04-14T19:48:57.66+10:00","name":"SPPAD","ip":["192.168.101.118/24","::1/128","127.0.
0.1/8"],"kernel_version":"6.2.9200.22702 (win8_ldr_escrow.190305-1818)","mac":["00:50:56:bf:14:0c"],"os":{"family":"wind
ows","platform":"windows","name":"Windows Server 2012 Datacenter","version":"6.2","major":2,"minor":0,"patch":0,"build":
"9200.22700"},"timezone":"AEST","timezone_offset_sec":36000,"id":"e7d3a01f-0099-45ad-9dea-44ba53712a59"}}}
2019-04-15T19:06:52.609+1000 INFO [beat] instance/beat.go:872 Process info {"system_info": {"process": {"cw
d": "C:\Program Files\winlogbeat", "exe": "C:\Program Files\Winlogbeat\winlogbeat.exe", "name": "winlogbeat.exe", "
pid": 8336, "ppid": 6968, "start_time": "2019-04-15T19:06:52.522+1000"}}}
2019-04-15T19:06:52.609+1000 INFO instance/beat.go:280 Setup Beat: winlogbeat; Version: 7.0.0
2019-04-15T19:06:52.610+1000 INFO [publisher] pipeline/module.go:97 Beat name: SPPAD
2019-04-15T19:06:52.610+1000 INFO beater/winlogbeat.go:68 State will be read from and persisted to C:\Program File
s\winlogbeat\data.winlogbeat.yml
2019-04-15T19:06:52.610+1000 DEBUG [processors] processors/processor.go:66 Processors:
2019-04-15T19:06:52.611+1000 INFO instance/beat.go:391 winlogbeat start running.
2019-04-15T19:06:52.611+1000 INFO [monitoring] log/log.go:117 Starting metrics logging every 30s
2019-04-15T19:06:52.719+1000 INFO beater/eventlogger.go:75 EventLog[Security] successfully published 1 even
ts
2019-04-15T19:06:52.719+1000 INFO beater/eventlogger.go:75 EventLog[Security] successfully published 1 even
ts
2019-04-15T19:06:52.719+1000 INFO beater/eventlogger.go:75 EventLog[Security] successfully published 1 even
ts
2019-04-15T19:06:52.719+1000 INFO beater/eventlogger.go:75 EventLog[Security] successfully published 1 even
ts
2019-04-15T19:06:52.720+1000 INFO beater/eventlogger.go:75 EventLog[Security] successfully published 1 even
ts
2019-04-15T19:06:52.720+1000 INFO beater/eventlogger.go:75 EventLog[Security] successfully published 1 even
ts
2019-04-15T19:06:52.720+1000 INFO beater/eventlogger.go:75 EventLog[Security] successfully published 1 even

VamPikmin · April 15, 2019, 10:53am

If I use winlogbeat 6.7.1 everything seems to be okay

I tried again and breaking changes in 7.0 specify field has been renamed
event_id winlog.event_id

I have added the events in the processors section, hope this helps someone who's a beginner like me

#================================ Processors =====================================

# Configure processors to enhance or manipulate events generated by the beat.

processors:
  - add_host_metadata: ~
  - add_cloud_metadata: ~
  - drop_event.when.not.or:
    - equals.winlog.event_id: 4624
    - equals.winlog.event_id: 4625
    - equals.winlog.event_id: 4634
    - equals.winlog.event_id: 4648
    - equals.winlog.event_id: 4672
    - equals.winlog.event_id: 4722 #account enabled
    - equals.winlog.event_id: 4725 #account disabled
    - equals.winlog.event_id: 4740
    - equals.winlog.event_id: 4767 #account unlocked
    - equals.winlog.event_id: 4768
    - equals.winlog.event_id: 4769
    - equals.winlog.event_id: 4778
    - equals.winlog.event_id: 4779
    - equals.winlog.event_id: 4932
    - equals.winlog.event_id: 4933
    - equals.winlog.event_id: 5058
    - equals.winlog.event_id: 5061
    - equals.winlog.event_id: 6272
    - equals.winlog.event_id: 6273
    - equals.winlog.event_id: 6274
    - equals.winlog.event_id: 6275
    - equals.winlog.event_id: 6276
    - equals.winlog.event_id: 6277
    - equals.winlog.event_id: 6278
    - equals.winlog.event_id: 6279
    - equals.winlog.event_id: 6280

#================================ Logging =====================================

system · May 13, 2019, 10:53am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.