Winlogbeat displaying GUID in Windows events instead of object name


#1

Hello,

We are using Winlogbeat 1.2.3 to ship Windows events via Logstash into Elasticsearch.

When I look at a 4662 events in Kibi, for example, under ObjectType and ObjectName I see the GUIDs rather than "ObjectType=Organizational Unit" and the OU name.

The values displayed are those from the Event XML. Is Winlogbeat capable of sending the object names in the event?

The events are coming from Windows 2008 R2.

Thank you


(Andrew Kroh) #2

Please provide the JSON representation of the event from Elasticsearch. What field is problematic? What value are you expecting? Did you mean Winlogbeat 1.3.1? What operating system are you using?


#3

Hello,

No, we are using Winlogbeat 1.2.3

Example. This is what we would see looking at the event in Windows

Object:
	Object Server:		DS
	Object Type:		organizationalUnit
	Object Name:		OU=Container_A,OU=Container_B,OU=Organization,DC=domain,DC=com
	Handle ID:		0x0

If we look at the event XML in Windows, rather than displaying the "Object Type" and "Object Name", we would see something like this:

    <Data Name="ObjectType">%{xxxxxxxx-1111-2222-3333-yyyyyyyyyyyyy}</Data>
    <Data Name="ObjectName">%{aaaaaaaa-4444-5555-6666-bbbbbbbbbbbb}</Data>

When the event arrives in Elasticsearch, or at least when it is viewed in Kibi, the message field contains formatted text as we would see in the Windows event, but various fields contain the values from the Event XML instead e.g.

Object:
	Object Server:		DS
	Object Type:		%{xxxxxxxx-1111-2222-3333-yyyyyyyyyyyyy}
	Object Name:		%{aaaaaaaa-4444-5555-6666-bbbbbbbbbbbb}
	Handle ID:		0x0

This is an example json event, with host and domain names removed.

{
  "_index": "logstash-winlogbeat-2017.01.12",
  "_type": "win_evt",
  "_id": "AVmU8JC5b-5X6GHa70Yi",
  "_score": 1,
  "_source": {
    "message": "An operation was performed on an object.\n\nSubject :\n\tSecurity ID:\t\tS-1-5-21-72051607-1886416376-1608665341-101347\n\tAccount Name:\t\tXXXXXXX$\n\tAccount Domain:\t\tXXXXXXXX\n\tLogon ID:\t\t0x151E5000A\n\nObject:\n\tObject Server:\t\tDS\n\tObject Type:\t\t%{bf967aa5-0de6-11d0-a285-00aa003049e2}\n\tObject Name:\t\t%{e95b12d4-4637-4446-bd50-76d981b38448}\n\tHandle ID:\t\t0x0\n\nOperation:\n\tOperation Type:\t\tObject Access\n\tAccesses:\t\tList Contents\n\t\t\t\t\n\tAccess Mask:\t\t0x4\n\tProperties:\t\tList Contents\n\t{bf967aa5-0de6-11d0-a285-00aa003049e2}\n\n\nAdditional Information:\n\tParameter 1:\t\t-\n\tParameter 2:\t\t",
    "@version": "1",
    "@timestamp": "2017-01-12T23:08:28.467Z",
    "log_name": "Security",
    "source_name": "Microsoft-Windows-Security-Auditing",
    "level": "Information",
    "category": "Directory Service Access",
    "beat": {
      "hostname": "xxxxxxx",
      "name": "xxxxxxx"
    },
    "tags": [
      "DomainController",
      "winlogbeat",
      "beats_input_codec_plain_applied",
      "winlogbeat"
    ],
    "computer_name": "xxxxxxx.xxxxxxx.com",
    "record_number": "1245196314",
    "event_id": 4662,
    "type": "wineventlog",
    "count": 1,
    "host": "xxxxxxx"
  },
  "fields": {
    "@timestamp": [
      1484262508467
    ]
  }
}

(Andrew Kroh) #4

Can you please try this with Winlogbeat 5.1.2 and see if you get the same behavior and post the JSON event.


(Maddin2016) #5

That is by design. Eventviewer only translate the GUID into an object. Try to run Get-EventLog -LogName Security -Newest 500 | ? { $_.EventID -eq 4662} |Format-List and you see that ObjectName is a GUID. You can get the object by Get-ADObject xxxxxxxx-1111-2222-3333-yyyyyyyyyyyyy. This is what the EventViewer is doing.


Winlogbeat does not resolve SIDs of forwarded Event-Logs
(Maddin2016) #6

@andrewkroh, What do you think of adding a feature which try to translate SID's into names. Maybe a config for fields which should translate.
For example

translate_sid:
  -fields:["objectname", ... , ...]

(Andrew Kroh) #7

I like the idea of doing this for the users. I'm wondering if there is way that Winlogbeat can do it without requiring configuration. Is there any sort of type information in the XML that we can use to trigger the translation (like something that says this is a GUID)? Or is there some other reliable method for identifying the GUID fields other than static configuration?


#8

AFAIK the fields we would want to decode will start with a percent sign and curly bracket in the XML e.g.:

ObjectType %{bf967aa5-0de6-11d0-a285-00aa003049e2}

...would decode as:

Object Type: organizationalUnit


(system) #9

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.