Winlogbeat not all events are parsed

I have ELK stack 6.6.2 and some beats installed.
The problem is that some fields from Winlogbeat are not parsed.
For example event_id 4663 "Message" field contains:

Access Request Information:
Accesses: ReadData (or ListDirectory)
Access Mask: 0x1

"Access Mask" field was parsed, Accesses field was not.

I don't apply any filters to winlogbeat events in Logstash.
How can I get parsed "Accesses" field?

Available fields, filtered by "access":

Winlogbeat config:

tags: ["winlogbeat"]
  - name: Application
  - name: Security
  - name: System
  hosts: ["logstash1:5044"]
logging.level: error

Logstash config:

input {
 beats {
    host => ""
    port => 5044
    client_inactivity_timeout => 600

output {
    if "winlogbeat" in [tags] {
        elasticsearch {
                hosts => [""]
                index => "winlogbeat-eventlog-%{+YYYY.MM.dd}"

Thank a lot


The information about "accesses" comes encoded into the event_data.AccessList field. Currently Winlogbeat does not decode this field.

In your case, you have:

event_data.AccessList: "%%416"

Which means

You can see the mappings from access code to permission here:

I've created an enhancement request to make this mapping automatically from Winlogbeat:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.