Winlogbeat displaying GUID in Windows events instead of object name

Geezer · January 12, 2017, 10:10pm

Hello,

We are using Winlogbeat 1.2.3 to ship Windows events via Logstash into Elasticsearch.

When I look at a 4662 events in Kibi, for example, under ObjectType and ObjectName I see the GUIDs rather than "ObjectType=Organizational Unit" and the OU name.

The values displayed are those from the Event XML. Is Winlogbeat capable of sending the object names in the event?

The events are coming from Windows 2008 R2.

Thank you

andrewkroh · January 12, 2017, 10:14pm

Please provide the JSON representation of the event from Elasticsearch. What field is problematic? What value are you expecting? Did you mean Winlogbeat 1.3.1? What operating system are you using?

Geezer · January 12, 2017, 11:19pm

Hello,

No, we are using Winlogbeat 1.2.3

Example. This is what we would see looking at the event in Windows

Object:
	Object Server:		DS
	Object Type:		organizationalUnit
	Object Name:		OU=Container_A,OU=Container_B,OU=Organization,DC=domain,DC=com
	Handle ID:		0x0

If we look at the event XML in Windows, rather than displaying the "Object Type" and "Object Name", we would see something like this:

    <Data Name="ObjectType">%{xxxxxxxx-1111-2222-3333-yyyyyyyyyyyyy}</Data>
    <Data Name="ObjectName">%{aaaaaaaa-4444-5555-6666-bbbbbbbbbbbb}</Data>

When the event arrives in Elasticsearch, or at least when it is viewed in Kibi, the message field contains formatted text as we would see in the Windows event, but various fields contain the values from the Event XML instead e.g.

Object:
	Object Server:		DS
	Object Type:		%{xxxxxxxx-1111-2222-3333-yyyyyyyyyyyyy}
	Object Name:		%{aaaaaaaa-4444-5555-6666-bbbbbbbbbbbb}
	Handle ID:		0x0

This is an example json event, with host and domain names removed.

{
  "_index": "logstash-winlogbeat-2017.01.12",
  "_type": "win_evt",
  "_id": "AVmU8JC5b-5X6GHa70Yi",
  "_score": 1,
  "_source": {
    "message": "An operation was performed on an object.\n\nSubject :\n\tSecurity ID:\t\tS-1-5-21-72051607-1886416376-1608665341-101347\n\tAccount Name:\t\tXXXXXXX$\n\tAccount Domain:\t\tXXXXXXXX\n\tLogon ID:\t\t0x151E5000A\n\nObject:\n\tObject Server:\t\tDS\n\tObject Type:\t\t%{bf967aa5-0de6-11d0-a285-00aa003049e2}\n\tObject Name:\t\t%{e95b12d4-4637-4446-bd50-76d981b38448}\n\tHandle ID:\t\t0x0\n\nOperation:\n\tOperation Type:\t\tObject Access\n\tAccesses:\t\tList Contents\n\t\t\t\t\n\tAccess Mask:\t\t0x4\n\tProperties:\t\tList Contents\n\t{bf967aa5-0de6-11d0-a285-00aa003049e2}\n\n\nAdditional Information:\n\tParameter 1:\t\t-\n\tParameter 2:\t\t",
    "@version": "1",
    "@timestamp": "2017-01-12T23:08:28.467Z",
    "log_name": "Security",
    "source_name": "Microsoft-Windows-Security-Auditing",
    "level": "Information",
    "category": "Directory Service Access",
    "beat": {
      "hostname": "xxxxxxx",
      "name": "xxxxxxx"
    },
    "tags": [
      "DomainController",
      "winlogbeat",
      "beats_input_codec_plain_applied",
      "winlogbeat"
    ],
    "computer_name": "xxxxxxx.xxxxxxx.com",
    "record_number": "1245196314",
    "event_id": 4662,
    "type": "wineventlog",
    "count": 1,
    "host": "xxxxxxx"
  },
  "fields": {
    "@timestamp": [
      1484262508467
    ]
  }
}

andrewkroh · January 13, 2017, 12:22am

Can you please try this with Winlogbeat 5.1.2 and see if you get the same behavior and post the JSON event.

maddin2016 · January 13, 2017, 1:39pm

That is by design. Eventviewer only translate the GUID into an object. Try to run Get-EventLog -LogName Security -Newest 500 | ? { $_.EventID -eq 4662} |Format-List and you see that ObjectName is a GUID. You can get the object by Get-ADObject xxxxxxxx-1111-2222-3333-yyyyyyyyyyyyy. This is what the EventViewer is doing.

maddin2016 · January 13, 2017, 3:06pm

@andrewkroh, What do you think of adding a feature which try to translate SID's into names. Maybe a config for fields which should translate.
For example

translate_sid:
  -fields:["objectname", ... , ...]

andrewkroh · January 16, 2017, 9:50pm

I like the idea of doing this for the users. I'm wondering if there is way that Winlogbeat can do it without requiring configuration. Is there any sort of type information in the XML that we can use to trigger the translation (like something that says this is a GUID)? Or is there some other reliable method for identifying the GUID fields other than static configuration?

Geezer · January 16, 2017, 10:57pm

AFAIK the fields we would want to decode will start with a percent sign and curly bracket in the XML e.g.:

ObjectType %{bf967aa5-0de6-11d0-a285-00aa003049e2}

...would decode as:

Object Type: organizationalUnit

system · February 13, 2017, 10:58pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.