Winlogbeat event_id

VamPikmin · June 5, 2017, 2:29am

Hi there,
Is there a way to include meaningful descriptions to each of the event_ids that are being ingested into logstash?

When I use the event_id to display top five for example I get the actual Event ID from Windows
4,634 4,648 4,768 4,625 4,740

I would like it to expand it to display something like
4740 account locked
4625 failed to logon
and so on

Thanks

andrewkroh · June 5, 2017, 1:51pm

You could use Logstash to add your own custom category to events. With the translate filter you can map event IDs to categories and add this a a new field, like category.

VamPikmin · June 5, 2017, 11:54pm

Thanks for the suggestion Andrew, that does look like what I'm after

Topic		Replies	Views
No event.category in Winlogbeat Beats winlogbeat	7	540	October 19, 2023
How to match Event ID, Knowledge Base DB with winlogbeat Beats winlogbeat	3	1348	June 2, 2016
How to add a field with description for a specific Windows Event ID? Beats winlogbeat	6	644	April 28, 2021
Winlogbeat "event_id" filter does not seem to be working Beats winlogbeat	2	886	September 16, 2019
Winlogbeats not exporitng event.id or xml data Beats winlogbeat	10	1325	July 6, 2018

Winlogbeat event_id

Related topics