Winlogbeat user.name is missing in event 4634 (Logoff Event) - ECS Missing Correlation

Hi,
I'm analizing windows event logs comming from a winlogbeat 7.2.
When looking in the logoff event (id 4634) I see that the field user.name does not exists
The field winlog.event_data.TargetUserName has the proper username (I've checked correlating LogonID from events 4624 and 4634).

As far as I can see, all security events are treated by the processor:

  • name: Security
    processors:
    • script:
      lang: javascript
      id: security
      file: ${path.home}/module/security/config/winlogbeat-security.js

Looking into C:\Program Files\winlogbeat\module\security\config\winlogbeat-security.js I found that the winlog.event_data.TargetUserName is copied to user.name.. so I don't understand why user.name does not exists
(below the example)

Thank you very much in advance
Regards
Ana

Thanks for testing out the new module.

4624 should have user.name, but 4634 isn't being handled by the module yet so it won't populate the fields. I wanted to get the module in place ASAP and continue to expand the events that it handles. In order to add new events we need to check what fields are in the event_data and then ensure that we have the appropriate mappings in place.

You'll see in the module that three event IDs are handled. These are listed in the docs too.

If you wanted to contribute to the module you can submit a pull request with the enhanced winlogbeat-security.js file and preferably an .evtx file for a test case.

I think what it would want to start with is

diff --git a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js
index b598c686a..9ab1cc44c 100644
--- a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js
+++ b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js
@@ -60,6 +60,10 @@ var security = (function () {
         .Add(setProcessNameUsingExe)
         .Build();
 
+    var logout = new processor.Chain()
+        .Add(convertAuthentication)
+        .Build();
+
     return {
         // 4624 - An account was successfully logged on.
         4624: logonSuccess.Run,
@@ -67,6 +71,9 @@ var security = (function () {
         // 4625 - An account failed to log on.
         4625: logonFailed.Run,
 
+        // 4634 - An account was logged off.
+        4634: logout.Run,
+
         // 4648 - A logon was attempted using explicit credentials.
         4648: logonSuccess.Run,

Hi Andrew
Thank you for you reply . I'll be testing winlogbeat in depth for the next two weeks; so If I can be of any help I'll be glad.
Regarding to the event 4634, not all the fields mapped in the convertAuthentication are present.
For example, nor winlog.event_data.IpAddress neither winlog.event_data.IpPort exist

image

Should be all the fields present?
Analizing the event 4624 I realize that winlog.event_data.ProcessName is not present but the conversion is taking place anyway.
If you confirm me that the convertAuthentication does not need all the fields, I'll submit the pull request with the .evtx file.
Thank you very much
Regards
Ana

Because the convert processor is configured with ignore_missing it will continue to work even if those fields are not present. What's important to check is that the fields that are present have the same meaning w.r.t. the target field (which it appears they do).

Hi Andrew, I've checked that the field is correct correlating event 4624 and 4634 by LoginID.
I'll submit a pull request. Also i'm working with event 4672 (Special Logon) in which we have a similar situation.
How do I send the .evtx in order to test?
Thank you
Regards
Anna

Hi Andrew,
Last question. When proccesing event 4624 user.name is populated from winlog.event_data.TargetUserName but when at events in the index that field does not exists.
Is that field removed before indexng into ES?
Thank you
Regards
Ana

Should I fork the repo https://github.com/elastic/beats, clone it, make the modifications and then submit a pull request with base=master?

Thank you
Ana

Yep, fork, git clone, git add, git commit, and then open a PR from the website. Checkout the contributing guide for a few more details.

Regarding providing an .evtx, from the Event Viewer you can filter the view to just the events you need for testing then save them to an .evtx file. Once you have the .evtx file you can add it to x-pack/winlogbeat/module/security/test/testdata. If you have Go setup and are on Windows you can run go test . -update from module/security/test directory and it will generate a .golden.json file based on the events in the newly added .evtx file. We commit that to the repo then if there's ever a change that causes the generated events to not match those in the .golden.json file then the tests will fail. But if you just add the .evtx file and open a PR I can take care of generating the new golden file.

Are you referring to the winlog.event_data.TargetUserName field? If so, yes, the convert processor is configured in rename mode (as opposed to copy) so TargetUserName will no longer exist after the processor runs.

Hi Andrew,
It is done.

I wasn`t able to generate de .golden.json file (I got this go error (security_windows_test.go:10:2: cannot find package "github.com/elastic/beats/x-p
ack/winlogbeat/module") but I did put the .evtx with the test data.

Regards
Ana

For anyone following along this change has been merged into Winlogbeat. The Security module will handle logout events 4634 and 4647.

1 Like

Hi Andrew,
Are the changes available in version 7.3? Documentation does not mention events 4634 and 4647
Regards
Ana

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.