Winlogbeat 8.5 and Windows 11 22H2

Greetings! It appears that variables (e.g. %1, %2) in windows events shipped via winlogbeat do not have these variables replaced with their real values.

Example:

Credential Manager credentials were read.

Subject:
	Security ID:		%1
	Account Name:		%2
	Account Domain:		%3
	Logon ID:		%4
	Read Operation:		%8

This event occurs when a user performs a read operation on stored credentials in Credential Manager.

I verified i'm using the latest publicly available winlogbeat version (8.5) but still encounter this issue. I also tried searching on this forum and around the internet but can't find any acknowledgment that this issue exists.

Any ideas?

Please share the winlogbeat.yml configuration you are using.

To debug this event, add include_xml: true into the configuration for the event log that's producing this document. After that change, share the JSON document from Elasticsearch that has this issues so that we can see the full event with the raw XML stored in event.original.

winlogbeat config:

fields_under_root: true

output.logstash:
   hosts: ["redacted:5044"]
path:
  data: .\data
  logs: .\logs
winlogbeat:
  event_logs:
   - name: Application
     ignore_older: 1h
   - name: System
     ignore_older: 1h
   - name: Security
     ignore_older: 1h
   - name: Setup
     ignore_older: 1h

Sample JSON document:

{
    "winlogbeat_event_created": "2022-11-14T23:26:53.533Z",
    "winlogbeat_agent_id": "19ecbfde-93bb-42ca-99d7-1aae1aba63b2",
    "winlogbeat_winlog_opcode": "Info",
    "winlogbeat_ecs_version": "8.0.0",
    "winlogbeat_event_code": "7040",
    "source": "unknown",
    "winlogbeat_winlog_user_identifier": "S-1-5-21-63776543-3909903815-3855965128-1001",
    "winlogbeat_winlog_user_type": "User",
    "winlogbeat_winlog_event_data_param4": "BITS",
    "winlogbeat_winlog_event_data_param3": "demand start",
    "winlogbeat_event_original": "<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Service Control Manager' Guid='{555908d1-a6d7-4695-8e1e-26931d2012f4}' EventSourceName='Service Control Manager'/><EventID Qualifiers='16384'>7040</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8080000000000000</Keywords><TimeCreated SystemTime='2022-11-14T23:25:46.7729215Z'/><EventRecordID>4749</EventRecordID><Correlation/><Execution ProcessID='1456' ThreadID='27768'/><Channel>System</Channel><Computer>DESKTOP-OIU9K0J</Computer><Security UserID='S-1-5-21-63776543-3909903815-3855965128-1001'/></System><EventData><Data Name='param1'>Background Intelligent Transfer Service</Data><Data Name='param2'>auto start</Data><Data Name='param3'>demand start</Data><Data Name='param4'>BITS</Data></EventData><RenderingInfo Culture='en-US'><Message>The start type of the %1 service was changed from %2 to %3.</Message><Level>Information</Level><Provider>Microsoft-Windows-Service Control Manager</Provider><Keywords><Keyword>Classic</Keyword></Keywords></RenderingInfo></Event>",
    "winlogbeat_event_action": "None",
    "streams": [
    "000000000000000000000001"
    ],
    "winlogbeat_@timestamp": "2022-11-14T23:25:46.772Z",
    "winlogbeat_agent_version": "8.5.0",
    "winlogbeat_agent_ephemeral_id": "33e854ff-2ffd-4c75-a3c2-f675cfebdb32",
    "winlogbeat_@metadata_version": "8.5.0",
    "winlogbeat_winlog_record_id": 4749,
    "winlogbeat_log_level": "information",
    "winlogbeat_@metadata_type": "_doc",
    "winlogbeat_@metadata_beat": "winlogbeat",
    "winlogbeat_event_provider": "Service Control Manager",
    "beats_type": "winlogbeat",
    "winlogbeat_winlog_user_domain": "DESKTOP-OIU9K0J",
    "winlogbeat_agent_name": "DESKTOP-OIU9K0J",
    "winlogbeat_winlog_event_id": "7040",
    "timestamp": "2022-11-14T23:25:46.772Z",
    "winlogbeat_winlog_task": "None",
    "winlogbeat_host_name": "DESKTOP-OIU9K0J",
    "winlogbeat_winlog_user_name": "geek4",
    "winlogbeat_winlog_channel": "System",
    "winlogbeat_winlog_computer_name": "DESKTOP-OIU9K0J",
    "winlogbeat_event_kind": "event",
    "winlogbeat_winlog_event_data_param2": "auto start",
    "winlogbeat_winlog_event_data_param1": "Background Intelligent Transfer Service",
    "winlogbeat_winlog_process_thread_id": 27768,
    "winlogbeat_winlog_api": "wineventlog",
    "message": "The start type of the %1 service was changed from %2 to %3.",
    "winlogbeat_winlog_provider_guid": "{555908d1-a6d7-4695-8e1e-26931d2012f4}",
    "winlogbeat_agent_type": "winlogbeat",
    "winlogbeat_winlog_provider_name": "Service Control Manager",
    "winlogbeat_winlog_process_pid": 1456,
    "winlogbeat_winlog_keywords": [
    "Classic"
    ]
}

For comparison, here is the original event in windows event viewer:

image757×245 8.04 KB

image769×657 28.6 KB

Any update on this?

I am also seeing this after machines started updating to win 11 22h2, I originally reported this as an Graylog Sidecar issue at Windows sidecar sends variables instead of data from one host. · Issue #449 · Graylog2/collector-sidecar · GitHub

With latest winlogbeat 8.5.2 this is an example of data I get: PrivateBin

This does appear to be an issue with Winlogbeat (although possibly caused by a change in Windows 11).

Most definitely related to Win11 updating to 22H2. I had 2 installs running years old winlogbeat, one of them updated to 22H2, later on I noticed this issue, but didn't make the connection. Even later I was digging more into this as I was updating the 2nd machine to 22H2 and immediately after first boot of 22H2 the issue presented itself.

I've posted an issue here Winlogbeat sending winevt with '%' variables and not the replacement values · Issue #33966 · elastic/beats · GitHub

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.