Hi,
we are trying to ship event ID 81 of the channel "Microsoft-Windows-CAPI2". However, we realized that data is missing.
The actual event in the Windows event log looks like this:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-CAPI2" Guid="{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" />
<EventID>81</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>80</Task>
<Opcode>2</Opcode>
<Keywords>0x4000000000000040</Keywords>
<TimeCreated SystemTime="2022-08-15T12:01:54.908292900Z" />
<EventRecordID>58</EventRecordID>
<Correlation />
<Execution ProcessID="4832" ThreadID="4132" />
<Channel>Microsoft-Windows-CAPI2/Operational</Channel>
<Computer>dc.adandomain2016.local</Computer>
<Security UserID="S-1-5-21-2609678811-3532437206-1426022710-1000" />
</System>
- <UserData>
- <WinVerifyTrust>
<ActionID>{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}</ActionID>
<UIChoice value="2">WTD_UI_NONE</UIChoice>
<RevocationCheck value="0" />
<StateAction value="1">WTD_STATEACTION_VERIFY</StateAction>
<Flags value="80000040" WTD_REVOCATION_CHECK_CHAIN="true" CPD_USE_NT5_CHAIN_FLAG="true" />
<FileInfo filePath="C:\27bdc74bb856563fafcae0b174567b0d\SetupUtility.exe" hasFileHandle="true" />
<DigestInfo digestAlgorithm="SHA1" digest="E6A6550804A28A7E0276E81E052A07208DD35231" />
<RegPolicySetting value="23C00" WTPF_OFFLINEOK_IND="true" WTPF_OFFLINEOK_COM="true" WTPF_OFFLINEOKNBU_IND="true" WTPF_OFFLINEOKNBU_COM="true" WTPF_IGNOREREVOCATIONONTS="true" />
<SignatureSettingsFlags value="20000000" WSS_OUT_FILE_SUPPORTS_SEAL="true" />
- <SignerInfo>
<DigestAlgorithm oid="1.3.14.3.2.26" hashName="SHA1" />
</SignerInfo>
<CertificateChain chainRef="{3F30DFD6-17A9-4406-AB9D-F7F33630F199}" />
- <TimestampInfo format="Authenticode">
<DigestAlgorithm oid="1.3.14.3.2.26" hashName="SHA1" />
<SignTime>2018-06-07T04:19:05Z</SignTime>
</TimestampInfo>
<TimestampChain chainRef="{372F80D3-D788-4991-A901-80F818E3B643}" />
<EventAuxInfo ProcessName="Setup.exe" />
<CorrelationAuxInfo TaskId="{90F5A408-A65C-4776-B3DF-7C3F7F7DD051}" SeqNumber="9" />
<Result value="0" />
</WinVerifyTrust>
</UserData>
</Event>
The same event that Winlogbeat fetches and transfers looks like this:
{
"@timestamp": "2022-08-15T12:01:54.908Z",
"@metadata": {
"beat": "winlogbeat",
"type": "_doc",
"version": "8.4.1"
},
"event": {
"created": "2022-09-05T13:10:03.237Z",
"code": "81",
"kind": "event",
"provider": "Microsoft-Windows-CAPI2",
"action": "Vertrauenswürdigkeit überprüfen"
},
"log": {
"level": "informationen"
},
"message": "Für weitere Informationen über dieses Ereignis, wenden Sie sich an den Abschnitt \"Details\"",
"host": {
"mac": [
"08:00:27:16:36:30",
"08:00:27:a8:9b:d7"
],
"hostname": "dc",
"name": "dc.adandomain2016.local",
"architecture": "x86_64",
"os": {
"name": "Windows Server 2016 Standard",
"kernel": "10.0.14393.447 (rs1_release_inmarket.161102-0100)",
"build": "14393.447",
"type": "windows",
"platform": "windows",
"version": "10.0",
"family": "windows"
},
"id": "268b29af-b970-4d13-b11c-030e9d91fe43",
"ip": [
"10.0.2.15",
"192.168.23.102"
]
},
"winlog": {
"channel": "Microsoft-Windows-CAPI2/Operational",
"user": {
"type": "User",
"identifier": "S-1-5-21-2609678811-3532437206-1426022710-1000",
"domain": "ADANDOMAIN2016",
"name": "vagrant"
},
"provider_name": "Microsoft-Windows-CAPI2",
"keywords": [
"Überprüfung der Vertrauenswürdigkeit"
],
"computer_name": "dc.adandomain2016.local",
"user_data": {
"ActionID": "{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}",
"UIChoice": "WTD_UI_NONE",
"StateAction": "WTD_STATEACTION_VERIFY",
"xml_name": "WinVerifyTrust"
},
"event_id": "81",
"task": "Vertrauenswürdigkeit überprüfen",
"process": {
"thread": {
"id": 4132
},
"pid": 4832
},
"api": "wineventlog",
"record_id": 58,
"opcode": "Anhalten",
"provider_guid": "{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}"
},
"ecs": {
"version": "8.0.0"
},
"agent": {
"type": "winlogbeat",
"version": "8.4.1",
"ephemeral_id": "b3a2912f-7d36-4bc0-b5ef-00ce0d3db2e0",
"id": "b9cfcd58-cdf1-43f0-872a-65d3a471a8ef",
"name": "dc"
},
}
As you can see, the winlogbeat.user_data
field only contains 4 key-value pairs. However, the original Windows event has way more data stored under the user_data
field which is missing in Winlogbeats output. Does anyone have an idea how to fix this or is this a bug in Winlogbeat I should report?