Winlogbeat not all events are parsed

Elastic Stack Beats
1

Hello!
I have ELK stack 6.6.2 and some beats installed.
The problem is that some fields from Winlogbeat are not parsed.
For example event_id 4663 "Message" field contains:

Access Request Information:
Accesses: ReadData (or ListDirectory)
Access Mask: 0x1

"Access Mask" field was parsed, Accesses field was not.

I don't apply any filters to winlogbeat events in Logstash.
How can I get parsed "Accesses" field?

Available fields, filtered by "access":
event_data.AccessList
event_data.AccessList.keyword
event_data.AccessMask
event_data.AccessMask.keyword

Winlogbeat config:

tags: ["winlogbeat"]
winlogbeat.event_logs:
  - name: Application
  - name: Security
  - name: System
output.logstash:
  hosts: ["logstash1:5044"]
logging.level: error

Logstash config:

input {
 beats {
    host => "192.168.1.10"
    port => 5044
    client_inactivity_timeout => 600
 }
}

output {
    if "winlogbeat" in [tags] {
        elasticsearch {
                hosts => ["192.168.1.10:9200"]
                index => "winlogbeat-eventlog-%{+YYYY.MM.dd}"
        }
    } 
}

Thank a lot

2

Hi,

The information about "accesses" comes encoded into the event_data.AccessList field. Currently Winlogbeat does not decode this field.

In your case, you have:

event_data.AccessList: "%%416"

Which means

25
251728×372 23.9 KB

You can see the mappings from access code to permission here:

I've created an enhancement request to make this mapping automatically from Winlogbeat:

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.