Winlogbeat wrong values

I see the flows from my Windows computer, but I have for example:
account name: %1
domain name: %2
logon type: %9 ect.
For example, on Windows %1 is Computer1, domain name is testDomian ect.

Welcome to our community! :smiley:

It's not really clear what you are asking here, can you elaborate please.

Hi Mark,

I'm not sure if what the other person is experiencing is exactly the same, but i'm seeing something like this after updating to Winlogbeat 8.6.2 on some Windows 11 Enterprise machines also, with failed login events in particular. For example:

An account failed to log on.

	Security ID:		%1
	Account Name:		%2
	Account Domain:		%3
	Logon ID:		%4

Logon Type:			%11

Account For Which Logon Failed:
	Security ID:		%5
	Account Name:		%6
	Account Domain:		%7

Failure Information:
	Failure Reason:		%9
	Status:			%8
	Sub Status:		%10

Process Information:
	Caller Process ID:	%18
	Caller Process Name:	%19

Network Information:
	Workstation Name:	%14
	Source Network Address:	%20
	Source Port:		%21

Detailed Authentication Information:
	Logon Process:		%12
	Authentication Package:	%13
	Transited Services:	%15
	Package Name (NTLM only):	%16
	Key Length:		%17

Normally there should be actual info there instead of the variables, obviously. If I go to the computer itself and pull up Event Viewer, everything is showing in the logs as it should be, though.

1 Like

Thanks for that @Deathwing182! It might be worth raising an issue on GitHub for this.

Thanks much also - just opened an issue at Winlogbeat not showing failed login events (and possibly others) properly · Issue #34896 · elastic/beats · GitHub , hopefully did that properly.

1 Like

Hi Mark - sorry to bother you again, but there doesn't seem to have been any action at all on Github re: the issue I posted, and it's still persisting in 8.7 as far as I can tell.

Is there a better course of action to get this looked at? Or is it on someone's radar already & they just never replied on Github?

1 Like

Hello @Deathwing182,

It's sometimes hard to get something on Elastic's radar imho. For example I tried escalating an issue with the perfmon dataset for almost a year now, see Add support for wildcard, *, for SMB Server Shares in Windows module, Perfmon Metricset · Issue #31516 · elastic/beats · GitHub

The issue persist and makes it impossible to gather perfmon metrics containing * and \

Indexing perfmon metrics is such a basic monitoring feature we are baffled this doesn't work for so long..

This winlogbeat issue seems like a huge problem to me. Not being able to see logon information in a SIEM is really problematic.... Gave your GitHub issue a +1, hopefully it matters.



Appreciate it - yeah, not exactly a super urgent issue, but seems like it should be wide-spread enough to be on someone's radar.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.