Hi,
I'm analizing windows event logs comming from a winlogbeat 7.2.
When looking in the logoff event (id 4634) I see that the field user.name does not exists
The field winlog.event_data.TargetUserName has the proper username (I've checked correlating LogonID from events 4624 and 4634).
As far as I can see, all security events are treated by the processor:
Looking into C:\Program Files\winlogbeat\module\security\config\winlogbeat-security.js I found that the winlog.event_data.TargetUserName is copied to user.name.. so I don't understand why user.name does not exists
(below the example)
4624 should have user.name, but 4634 isn't being handled by the module yet so it won't populate the fields. I wanted to get the module in place ASAP and continue to expand the events that it handles. In order to add new events we need to check what fields are in the event_data and then ensure that we have the appropriate mappings in place.
You'll see in the module that three event IDs are handled. These are listed in the docs too.
If you wanted to contribute to the module you can submit a pull request with the enhanced winlogbeat-security.js file and preferably an .evtx file for a test case.
I think what it would want to start with is
diff --git a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js
index b598c686a..9ab1cc44c 100644
--- a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js
+++ b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js
@@ -60,6 +60,10 @@ var security = (function () {
.Add(setProcessNameUsingExe)
.Build();
+ var logout = new processor.Chain()
+ .Add(convertAuthentication)
+ .Build();
+
return {
// 4624 - An account was successfully logged on.
4624: logonSuccess.Run,
@@ -67,6 +71,9 @@ var security = (function () {
// 4625 - An account failed to log on.
4625: logonFailed.Run,
+ // 4634 - An account was logged off.
+ 4634: logout.Run,
+
// 4648 - A logon was attempted using explicit credentials.
4648: logonSuccess.Run,
Hi Andrew
Thank you for you reply . I'll be testing winlogbeat in depth for the next two weeks; so If I can be of any help I'll be glad.
Regarding to the event 4634, not all the fields mapped in the convertAuthentication are present.
For example, nor winlog.event_data.IpAddress neither winlog.event_data.IpPort exist
Should be all the fields present?
Analizing the event 4624 I realize that winlog.event_data.ProcessName is not present but the conversion is taking place anyway.
If you confirm me that the convertAuthentication does not need all the fields, I'll submit the pull request with the .evtx file.
Thank you very much
Regards
Ana
Because the convert processor is configured with ignore_missing it will continue to work even if those fields are not present. What's important to check is that the fields that are present have the same meaning w.r.t. the target field (which it appears they do).
Hi Andrew, I've checked that the field is correct correlating event 4624 and 4634 by LoginID.
I'll submit a pull request. Also i'm working with event 4672 (Special Logon) in which we have a similar situation.
How do I send the .evtx in order to test?
Thank you
Regards
Anna
Hi Andrew,
Last question. When proccesing event 4624 user.name is populated from winlog.event_data.TargetUserName but when at events in the index that field does not exists.
Is that field removed before indexng into ES?
Thank you
Regards
Ana
Yep, fork, git clone, git add, git commit, and then open a PR from the website. Checkout the contributing guide for a few more details.
Regarding providing an .evtx, from the Event Viewer you can filter the view to just the events you need for testing then save them to an .evtx file. Once you have the .evtx file you can add it to x-pack/winlogbeat/module/security/test/testdata. If you have Go setup and are on Windows you can run go test . -update from module/security/test directory and it will generate a .golden.json file based on the events in the newly added .evtx file. We commit that to the repo then if there's ever a change that causes the generated events to not match those in the .golden.json file then the tests will fail. But if you just add the .evtx file and open a PR I can take care of generating the new golden file.
Are you referring to the winlog.event_data.TargetUserName field? If so, yes, the convert processor is configured in rename mode (as opposed to copy) so TargetUserName will no longer exist after the processor runs.
I wasn`t able to generate de .golden.json file (I got this go error (security_windows_test.go:10:2: cannot find package "github.com/elastic/beats/x-p
ack/winlogbeat/module") but I did put the .evtx with the test data.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.