I am currently indexing the Windows Security log, and the events are being sent to Elasticsearch and successfully indexed. However, if I do not specify the pipeline named 'winlogbeat-8.8.2-security' in the output, the events are not parsed by any pipeline.
I have conducted manual tests with my event JSON in both the security pipeline and the routing pipeline, and it is being parsed correctly in both cases.
This is my conf :
winlogbeat.event_logs:
- name: Security
ignore_older: 1h
setup.kibana:
host: "https://kibana-url:443"
username: "${KB_USER}"
password: "${KB_PWD}"
output.elasticsearch:
hosts: ["https://elasticsearch-url:443"]
protocol: "https"
username: "${ES_USER}"
password: "${ES_PWD}"
Here's a event example :
{
"_index":".ds-winlogbeat-8.8.2-2023.07.26-000001",
"_id":"oRnxk4kByRBLADHKW66P",
"_version":1,
"_score":0,
"_source":{
"@timestamp":"2023-07-26T19:26:07.641Z",
"@metadata":{
"beat":"winlogbeat",
"type":"_doc",
"version":"8.8.2"
},
"log":{
"level":"information"
},
"message":"An account was logged off.\n\nSubject:\n\tSecurity ID:\t\tACCOUNT_SID\n\tAccount Name:\t\user_nm\n\tAccount Domain:\t\com\n\tLogon ID:\t\t0x7FB4EC4B\n\nLogon Type:\t\t\t3\n\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.",
"host":{
"name":"host.com"
},
"winlog":{
"provider_guid":"{99999999999999}",
"event_data":{
"TargetUserName":"user_nm",
"TargetDomainName":"com"
},
"process":{
"pid":999999,
"thread":{
"id":999999
}
},
"event_id":"4634",
"provider_name":"Microsoft-Windows-Security-Auditing",
"task":"Logoff",
"keywords":[
"Audit Success"
],
"record_id":9265451,
"computer_name":"host.com",
"channel":"Security",
"opcode":"Info",
"api":"wineventlog"
},
"event":{
"code":"4634",
"kind":"event",
"provider":"Microsoft-Windows-Security-Auditing",
"outcome":"success",
"action":"Logoff",
"created":"2023-07-26T20:23:55.129Z"
},
"ecs":{
"version":"8.0.0"
},
"agent":{
"ephemeral_id":"4744fb12-9af8-4787-bf8f-490608b0cc89",
"id":"7067f2d7-82fe-4890-a688-883c924e8a46",
"name":"host.com",
"type":"winlogbeat",
"version":"8.8.2"
}
}
}