Winlogbeat data is not parsing properly

sundar_elk · April 20, 2020, 9:01am

Hi Team,

I'm using winlogbeat for pushing all windows events to elasticsearch. Parsing is not happening properly.

One of the examples is under “Message” there is “Properties” which when parsed in winlog.event_data.Properties does not show up correctly

Actual message :-1

parsed field :-1

It should come read property but coming some number %%7684

Is it bug?

Thanks
Sundar

andrewkroh · April 21, 2020, 10:42am

Can you provide the raw XML from the Windows Event Viewer for this particular event. Winlogbeat does not parse the message field. It unmarshals the event it gets from Windows in XML and sends it as JSON.

The conversion of %%7684 to "Read Property" is possibly something that could be handled in a module, like the Security module.

sundar_elk · April 21, 2020, 12:39pm

@andrewkroh, Your right . I have checked my XML and it coming as %%7682. It looks like issue from our windows event. Thanks a lot for your reply. We can close this thread.

andrewkroh · April 22, 2020, 1:12am

What was the event ID? It's probably something we can enrich in the Security module. Like do a conversion in the winlog.event_data field.

sundar_elk · April 22, 2020, 4:45am

event id is 4662. Below are screenshots. Not only 4662 and other security events also.

General view :-

XML view :-

I'm not sure why properties field is different from general view and XML view. Our windows team also looking into this. will get back to you soon once i get the update from windows team.

andrewkroh · April 23, 2020, 10:23pm

Event ID 4662 isn't yet handled in the Security module. The module does have a translation table for those codes. The module needs enhanced to map the fields in 4662 over to ECS.

github.com

elastic/beats/blob/86c59c09bc8fc6f6f36ff111624356b1cfec3102/x-pack/winlogbeat/module/security/config/winlogbeat-security.js#L942


"7426": "DDE Share Initiate Static",
"7427": "DDE Share Initiate Link",
"7428": "DDE Share Request",
"7429": "DDE Share Advise",
"7430": "DDE Share Poke",
"7431": "DDE Share Execute",
"7432": "DDE Share Add Items",
"7433": "DDE Share List Items",
"7680": "Create Child",
"7681": "Delete Child",
"7682": "List Contents",
"7683": "Write Self",
"7684": "Read Property",
"7685": "Write Property",
"7686": "Delete Tree",
"7687": "List Object",
"7688": "Control Access",
"7689": "Undefined Access (no effect) Bit 9",
"7690": "Undefined Access (no effect) Bit 10",
"7691": "Undefined Access (no effect) Bit 11",
"7692": "Undefined Access (no effect) Bit 12",

sundar_elk · April 26, 2020, 5:24am

Thanks for your information, Can you please let me know how many events are completed with ECS format for all fields and what are the other event ID's are pending for ECS? if we get details we can parse the data via logstash. No need to wait for another release for this.

andrewkroh · May 7, 2020, 1:43pm

This information about what event IDs are mapped in each module is contained in the documentation. Choose your Winlogbeat version in the docs. Additionally the source for each module is in Github and you can see the mapping logic.

sundar_elk · May 10, 2020, 7:03am

thank you for detailed information.

system · June 7, 2020, 7:10am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.