Winlogbeat running on Windows Event Collector - logs use the collector name instead of log sources


#1

I've been searching for a little bit without luck so hopefully I'm not duplicating: I'm running Windows Event Forwarding => Windows Event Collector to collect logs from endpoints, while viewing the logs in Kibana - the computer_name field is populated with the collector/forwarder hostname instead of the original source the log came from. How do I keep the original hostname the logs are coming from instead of the collector/forwarder hostname?


(Andrew Kroh) #2

Can you please enable the include_xml setting and share one of the raw events in JSON form. You can copy the JSON right out of Kibana for convenience.


#3

Hopefully this is what you're after: win-event-collector is the WEC w/ Winlogbeat and Test-VM is the origin of the log:

{
"_index": "index-2017.12.14",
"_type": "AD",
"_id": "AWBWb8plUOhrYW6sEvT1",
"_version": 1,
"_score": null,
"_source": {
"process_id": 568,
"keywords": [
"Audit Success"
],
"record_number": "62568",
"event_data": {
"ProcessName": "-",
"LogonGuid": "{D067C328-D7D7-7572-C946-3D54C57763B7}",
"TargetOutboundDomainName": "-",
"VirtualAccount": "%%1843",
"IpPort": "-",
"TransmittedServices": "-",
"LmPackageName": "-",
"RestrictedAdminMode": "-",
"ElevatedToken": "%%1843",
"WorkstationName": "-",
"SubjectDomainName": "-",
"LogonProcessName": "Kerberos",
"TargetDomainName": "DOMAIN.COM",
"LogonType": "3",
"SubjectLogonId": "0x0",
"KeyLength": "0",
"TargetOutboundUserName": "-",
"TargetLogonId": "0x1a1a621e",
"SubjectUserName": "-",
"TargetLinkedLogonId": "0x0",
"IpAddress": "-",
"TargetUserName": "TEST-VM$",
"ImpersonationLevel": "%%1833",
"ProcessId": "0x0",
"SubjectUserSid": "S-1-0-0",
"TargetUserSid": "S-1-5-21-164900587-1611346948-1846952604-50365",
"AuthenticationPackageName": "Kerberos"
},
"opcode": "Info",
"type": "AD",
"index_type": "MyCompany",
"thread_id": 416,
"provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"@version": "1",
"activity_id": "{D9C11638-694E-0000-4C16-C1D94E69D301}",
"beat": {
"hostname": "win-event-collector",
"name": "win-event-collector",
"version": "6.0.0"
},
"host": "win-event-collector",
"company": "MyCompany",
"source_name": "Microsoft-Windows-Security-Auditing",
"computer_name": "win-event-collector.domain.com",
"log_name": "Security",
"level": "Information",
"message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Information:\n\tLogon Type:\t\t3\n\tRestricted Admin Mode:\t-\n\tVirtual Account:\t\tNo\n\tElevated Token:\t\tNo\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-164900587-1611346948-1846952604-50365\n\tAccount Name:\t\tTEST-VM$\n\tAccount Domain:\t\tDOMAIN.COM\n\tLogon ID:\t\t0x1A1A621E\n\tLinked Logon ID:\t\t0x0\n\tNetwork Account Name:\t-\n\tNetwork Account Domain:\t-\n\tLogon GUID:\t\t{D067C328-D7D7-7572-C946-3D54C57763B7}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t-\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.",
"version": 2,
"tags": [
"beats_input_codec_plain_applied"
],
"@timestamp": "2017-12-14T19:10:52.390Z",
"event_id": 4624,
"task": "Logon"
},
"fields": {
"@timestamp": [
1513278652390
]
},
"sort": [
1513278652390
]
}


(Andrew Kroh) #4

Partially, but I wanted you to enable the include_xml setting for the log so that we can see exactly what data is provided from Windows.

Try this in your config.

winlogbeat.event_logs:
 - name: ForwardedEvents
   include_xml: true
   forwarded: true
   tags: [forwarded]

Then post one of the events (like you did) that has the xml field.


#5

Here is one with the XML - had to cut out most of the message because of max char limit exceeded. Thx:

"xml": "<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4624</EventID><Version>2</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2017-12-14T21:06:09.454428000Z'/><EventRecordID>458942</EventRecordID><Correlation ActivityID='{E501AC65-7513-0000-D6AC-01E51375D301}'/><Execution ProcessID='568' ThreadID='660'/><Channel>Security</Channel><Computer>TEST-vm.DOMAIN.com</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-0-0</Data><Data Name='SubjectUserName'>-</Data><Data Name='SubjectDomainName'>-</Data><Data Name='SubjectLogonId'>0x0</Data><Data Name='TargetUserSid'>S-1-5-18</Data><Data Name='TargetUserName'>TEST-VM$</Data><Data Name='TargetDomainName'>DOMAIN.COM</Data><Data Name='TargetLogonId'>0x3a361</Data><Data Name='LogonType'>3</Data><Data Name='LogonProcessName'>Kerberos</Data><Data Name='AuthenticationPackageName'>Kerberos</Data><Data Name='WorkstationName'>-</Data><Data Name='LogonGuid'>{96D26956-54B1-81BE-9C8B-39FE0CAE8D30}</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>-</Data><Data Name='KeyLength'>0</Data><Data Name='ProcessId'>0x0</Data><Data Name='ProcessName'>-</Data><Data Name='IpAddress'>::1</Data><Data Name='IpPort'>0</Data><Data Name='ImpersonationLevel'>%%1833</Data><Data Name='RestrictedAdminMode'>-</Data><Data Name='TargetOutboundUserName'>-</Data><Data Name='TargetOutboundDomainName'>-</Data><Data Name='VirtualAccount'>%%1843</Data><Data Name='TargetLinkedLogonId'>0x0</Data><Data Name='ElevatedToken'>%%1842</Data></EventData><RenderingInfo Culture='en-US'><Message>An account was successfully logged on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Information:\r\n\tLogon Type:\t\t3\r\n\tRestricted Admin Mode:\t-\r\n\tVirtual Account:\t\tNo\r\n\tElevated Token:\t\tYes\r\n\r\nImpersonation Level:\t\tImpersonation\r\n\r\nNew Logon:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTEST-VM$\r\n\tAccount Domain:\t\tDOMAIN.COM\r\n\tLogon ID:\t\t0x3A361\r\n\tLinked Logon ID:\t\t0x0\r\n\tNetwork Account Name:\t-\r\n\tNetwork Account Domain:\t-\r\n\tLogon GUID:\t\t{96D26956-54B1-81BE-9C8B-39FE0CAE8D30}\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x0\r\n\tProcess Name:\t\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\t-\r\n\tSource Network Address:\t::1\r\n\tSource Port:\t\t0\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tKerberos\r\n\tAuthentication Package:\tKerberos\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\t-\r\n\tKey Length:\t\t0\r\n\r\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\r\n\r\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\r\n\r\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.</Message><Level>Information</Level><Task>Logon</Task><Opcode>Info</Opcode><Channel>Security</Channel><Provider>Microsoft Windows security auditing.

...
"message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Information:\n\tLogon Type:\t\t3\n\tRestricted Admin Mode:\t-\n\tVirtual Account:\t\tNo\n\tElevated Token:\t\tYes\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tTEST-VM$\n\tAccount Domain:\t\tDOMAIN.COM\n\tLogon ID:\t\t0x3A361\n\tLinked Logon ID:\t\t0x0\n\tNetwork Account Name:\t-\n\tNetwork Account Domain:\t-\n\tLogon GUID:\t\t{96D26956-54B1-81BE-9C8B-39FE0CAE8D30}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t-\n\tSource Network Address:\t::1\n\tSource Port:\t\t0\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.",


(Andrew Kroh) #6

Can you drop it into a pastbin. It will be a lot easier to look at.


#7

Sure thing - https://pastebin.com/2qPcidLf


(Andrew Kroh) #8
"beat": {
  "hostname": "lbpdwniclog01",

"computer_name": "TEST-vm.DOMAIN.com",

<Computer>TEST-vm.DOMAIN.com</Computer>

To me this looks correct. Windows is telling Winlogbeat that the event's source computer is TEST-vm.DOMAIN.com (in the XML as <Computer> and in the JSON as computer_name). And the name of the collector machine where Winlogbeat is running is reported as lbpdwniclog01 (beat.hostname and beat.name in the JSON).


(system) #9

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.