Winlogbeat @timestamp Field Problem

leantw1ce · November 8, 2016, 5:23pm

Hi, first of all my english is not good enough so sorry about that. I have ELK on an Ubuntu server. Logstash version is 2.3.4, Elastichsearch 1.7.3, and Kibana 4.1.2. I could successfully obtain logs of another Ubuntu server with Filebeat and it works fine. Now I installed Winlogbeat on a Windows 7 Ultimate 32 bits. At first the two machines worked well but after ten minutes I couldn't see windows logs. After shutting down the other Ubuntu server I checked Winlogbeat logs and I realized that the time of the publish event on Winlogbeat didn't match with the @timestamp field. I can receive these logs but I have to change the Kibana timer to "Last 2 hours".

Winlogbeat log:

2016-11-08T16:36:54+01:00 DBG  Publish: {
  "@timestamp": "2016-11-08T15:36:52.492Z",
  "beat": {
    "hostname": "Admin-PC",
    "name": "Admin-PC",
    "version": "5.0.0"
  },
  "computer_name": "Admin-PC",
  "event_data": {
    "PrivilegeList": "SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege",
    "SubjectDomainName": "NT AUTHORITY",
    "SubjectLogonId": "0x3e7",
    "SubjectUserName": "SYSTEM",
    "SubjectUserSid": "S-1-5-18"
  },
  "event_id": 4672,
  "keywords": [
    "Auditoría correcta"
  ],
  "level": "Información",
  "log_name": "Security",
  "message": "Se asignaron privilegios especiales a un nuevo inicio de sesión.\n\nSujeto:\n\tId. de seguridad:\t\tS-1-5-18\n\tNombre de cuenta:\t\tSYSTEM\n\tDominio de cuenta:\t\tNT AUTHORITY\n\tId. de inicio de sesión:\t\t0x3e7\n\nPrivilegios:\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege",
  "opcode": "Información",
  "process_id": 480,
  "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
  "record_number": "611",
  "source_name": "Microsoft-Windows-Security-Auditing",
  "task": "Inicio de sesión especial",
  "thread_id": 528,
  "type": "wineventlog"
}

Sorry for the large text, any help would be appreciated. Thanks.

andrewkroh · November 14, 2016, 2:09pm

The @timestamp field is set to the time when the event was generated on Windows, not the time when the event is read by Winlogbeat.

If you need a separate timestamp indicating when the event was received, you could add that using Logstash.

system · December 12, 2016, 2:10pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.