Hello
We save the windows XP event log to elasticsearch by winlogbeat.
But we find there is no field of event_data.Binary in elasticsearch.
For win7 system we can get a field:"event_data.Binary XXXXXXXXXXXXXX".
Is there any config issue?
OS:XP
elasticsearch:5.6.5
winlogbeat: winlogbeat-5.6.3-windows-x86
here is the XP event log:
The Bytes data can not show on kinana:
I took a look at the code that is used on pre-Vista machines and it does not read the binary data contained in the EVENTLOGRECORD.
For reference:
The binary information is information that is specific to the event. It could be the contents of the processor registers when a device driver got an error, a dump of an invalid packet that was received from the network, a dump of all the structures in a program (when the data area was detected to be corrupt), and so on. This information should be useful to the writer of the device driver or the application in tracking down bugs or unauthorized breaks into the application.
Source: EVENTLOGRECORD (winnt.h) - Win32 apps | Microsoft Learn
Winlogbeat reads the data offset and length but it does not fetch the raw binary data from the buffer. See https://github.com/elastic/beats/blob/c821b84cf55f88778c9702a60aea52c52d5643d7/winlogbeat/sys/eventlogging/eventlogging_windows.go#L356-L366
I think it should be easy to add this since we already know the offset and length. Please open an enhancement request on Github for this.
How are you using this binary data? What are your use cases?
This topic was automatically closed after 21 days. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
