Winlogbeat: missing data in user_data field

apawlowski · September 6, 2022, 4:47am

Hi,

we are trying to ship event ID 81 of the channel "Microsoft-Windows-CAPI2". However, we realized that data is missing.

The actual event in the Windows event log looks like this:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-CAPI2" Guid="{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" /> 
  <EventID>81</EventID> 
  <Version>0</Version> 
  <Level>4</Level> 
  <Task>80</Task> 
  <Opcode>2</Opcode> 
  <Keywords>0x4000000000000040</Keywords> 
  <TimeCreated SystemTime="2022-08-15T12:01:54.908292900Z" /> 
  <EventRecordID>58</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="4832" ThreadID="4132" /> 
  <Channel>Microsoft-Windows-CAPI2/Operational</Channel> 
  <Computer>dc.adandomain2016.local</Computer> 
  <Security UserID="S-1-5-21-2609678811-3532437206-1426022710-1000" /> 
  </System>
- <UserData>
- <WinVerifyTrust>
  <ActionID>{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}</ActionID> 
  <UIChoice value="2">WTD_UI_NONE</UIChoice> 
  <RevocationCheck value="0" /> 
  <StateAction value="1">WTD_STATEACTION_VERIFY</StateAction> 
  <Flags value="80000040" WTD_REVOCATION_CHECK_CHAIN="true" CPD_USE_NT5_CHAIN_FLAG="true" /> 
  <FileInfo filePath="C:\27bdc74bb856563fafcae0b174567b0d\SetupUtility.exe" hasFileHandle="true" /> 
  <DigestInfo digestAlgorithm="SHA1" digest="E6A6550804A28A7E0276E81E052A07208DD35231" /> 
  <RegPolicySetting value="23C00" WTPF_OFFLINEOK_IND="true" WTPF_OFFLINEOK_COM="true" WTPF_OFFLINEOKNBU_IND="true" WTPF_OFFLINEOKNBU_COM="true" WTPF_IGNOREREVOCATIONONTS="true" /> 
  <SignatureSettingsFlags value="20000000" WSS_OUT_FILE_SUPPORTS_SEAL="true" /> 
- <SignerInfo>
  <DigestAlgorithm oid="1.3.14.3.2.26" hashName="SHA1" /> 
  </SignerInfo>
  <CertificateChain chainRef="{3F30DFD6-17A9-4406-AB9D-F7F33630F199}" /> 
- <TimestampInfo format="Authenticode">
  <DigestAlgorithm oid="1.3.14.3.2.26" hashName="SHA1" /> 
  <SignTime>2018-06-07T04:19:05Z</SignTime> 
  </TimestampInfo>
  <TimestampChain chainRef="{372F80D3-D788-4991-A901-80F818E3B643}" /> 
  <EventAuxInfo ProcessName="Setup.exe" /> 
  <CorrelationAuxInfo TaskId="{90F5A408-A65C-4776-B3DF-7C3F7F7DD051}" SeqNumber="9" /> 
  <Result value="0" /> 
  </WinVerifyTrust>
  </UserData>
  </Event>

The same event that Winlogbeat fetches and transfers looks like this:

{
  "@timestamp": "2022-08-15T12:01:54.908Z",
  "@metadata": {
    "beat": "winlogbeat",
    "type": "_doc",
    "version": "8.4.1"
  },
  "event": {
    "created": "2022-09-05T13:10:03.237Z",
    "code": "81",
    "kind": "event",
    "provider": "Microsoft-Windows-CAPI2",
    "action": "Vertrauenswürdigkeit überprüfen"
  },
  "log": {
    "level": "informationen"
  },
  "message": "Für weitere Informationen über dieses Ereignis, wenden Sie sich an den Abschnitt \"Details\"",
  "host": {
    "mac": [
      "08:00:27:16:36:30",
      "08:00:27:a8:9b:d7"
    ],
    "hostname": "dc",
    "name": "dc.adandomain2016.local",
    "architecture": "x86_64",
    "os": {
      "name": "Windows Server 2016 Standard",
      "kernel": "10.0.14393.447 (rs1_release_inmarket.161102-0100)",
      "build": "14393.447",
      "type": "windows",
      "platform": "windows",
      "version": "10.0",
      "family": "windows"
    },
    "id": "268b29af-b970-4d13-b11c-030e9d91fe43",
    "ip": [
      "10.0.2.15",
      "192.168.23.102"
    ]
  },
  "winlog": {
    "channel": "Microsoft-Windows-CAPI2/Operational",
    "user": {
      "type": "User",
      "identifier": "S-1-5-21-2609678811-3532437206-1426022710-1000",
      "domain": "ADANDOMAIN2016",
      "name": "vagrant"
    },
    "provider_name": "Microsoft-Windows-CAPI2",
    "keywords": [
      "Überprüfung der Vertrauenswürdigkeit"
    ],
    "computer_name": "dc.adandomain2016.local",
    "user_data": {
      "ActionID": "{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}",
      "UIChoice": "WTD_UI_NONE",
      "StateAction": "WTD_STATEACTION_VERIFY",
      "xml_name": "WinVerifyTrust"
    },
    "event_id": "81",
    "task": "Vertrauenswürdigkeit überprüfen",
    "process": {
      "thread": {
        "id": 4132
      },
      "pid": 4832
    },
    "api": "wineventlog",
    "record_id": 58,
    "opcode": "Anhalten",
    "provider_guid": "{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}"
  },
  "ecs": {
    "version": "8.0.0"
  },
  "agent": {
    "type": "winlogbeat",
    "version": "8.4.1",
    "ephemeral_id": "b3a2912f-7d36-4bc0-b5ef-00ce0d3db2e0",
    "id": "b9cfcd58-cdf1-43f0-872a-65d3a471a8ef",
    "name": "dc"
  },
}

As you can see, the winlogbeat.user_data field only contains 4 key-value pairs. However, the original Windows event has way more data stored under the user_data field which is missing in Winlogbeats output. Does anyone have an idea how to fix this or is this a bug in Winlogbeat I should report?

system · October 4, 2022, 6:48am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Winlogbeat user.name is missing in event 4634 (Logoff Event) - ECS Missing Correlation Beats winlogbeat	11	1526	September 3, 2019
Winlogbeat missing winlog.event_data.IpAddress Beats winlogbeat	2	983	November 27, 2020
Winlogbeat data is not parsing properly Beats winlogbeat	9	1352	June 7, 2020
Parsing issue with Event ID 4740 Beats winlogbeat	2	599	September 23, 2022
Copy winlog.user.name (if present) to user.name (if missing) Beats winlogbeat	6	754	May 25, 2020

Winlogbeat: missing data in user_data field

Related Topics