Winlogbeat wrong values

objectprogr · February 21, 2023, 12:58pm

I see the flows from my Windows computer, but I have for example:
account name: %1
domain name: %2
logon type: %9 ect.
For example, on Windows %1 is Computer1, domain name is testDomian ect.

warkolm · February 21, 2023, 9:21pm

Welcome to our community!

It's not really clear what you are asking here, can you elaborate please.

Deathwing182 · March 13, 2023, 5:10pm

Hi Mark,

I'm not sure if what the other person is experiencing is exactly the same, but i'm seeing something like this after updating to Winlogbeat 8.6.2 on some Windows 11 Enterprise machines also, with failed login events in particular. For example:

An account failed to log on.

Subject:
	Security ID:		%1
	Account Name:		%2
	Account Domain:		%3
	Logon ID:		%4

Logon Type:			%11

Account For Which Logon Failed:
	Security ID:		%5
	Account Name:		%6
	Account Domain:		%7

Failure Information:
	Failure Reason:		%9
	Status:			%8
	Sub Status:		%10

Process Information:
	Caller Process ID:	%18
	Caller Process Name:	%19

Network Information:
	Workstation Name:	%14
	Source Network Address:	%20
	Source Port:		%21

Detailed Authentication Information:
	Logon Process:		%12
	Authentication Package:	%13
	Transited Services:	%15
	Package Name (NTLM only):	%16
	Key Length:		%17

Normally there should be actual info there instead of the variables, obviously. If I go to the computer itself and pull up Event Viewer, everything is showing in the logs as it should be, though.

warkolm · March 19, 2023, 11:24pm

Thanks for that @Deathwing182! It might be worth raising an issue on GitHub for this.

Deathwing182 · March 22, 2023, 2:06pm

Thanks much also - just opened an issue at Winlogbeat not showing failed login events (and possibly others) properly · Issue #34896 · elastic/beats · GitHub , hopefully did that properly.

Deathwing182 · April 11, 2023, 4:05pm

Hi Mark - sorry to bother you again, but there doesn't seem to have been any action at all on Github re: the issue I posted, and it's still persisting in 8.7 as far as I can tell.

Is there a better course of action to get this looked at? Or is it on someone's radar already & they just never replied on Github?

willemdh · April 11, 2023, 7:57pm

Hello @Deathwing182,

It's sometimes hard to get something on Elastic's radar imho. For example I tried escalating an issue with the perfmon dataset for almost a year now, see Add support for wildcard, *, for SMB Server Shares in Windows module, Perfmon Metricset · Issue #31516 · elastic/beats · GitHub

The issue persist and makes it impossible to gather perfmon metrics containing * and \

Indexing perfmon metrics is such a basic monitoring feature we are baffled this doesn't work for so long..

This winlogbeat issue seems like a huge problem to me. Not being able to see logon information in a SIEM is really problematic.... Gave your GitHub issue a +1, hopefully it matters.

Willem

Deathwing182 · April 12, 2023, 1:36pm

Appreciate it - yeah, not exactly a super urgent issue, but seems like it should be wide-spread enough to be on someone's radar.

system · May 10, 2023, 1:37pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.