I have events from a server being sent to logstash, but no eventids or xml data is being passed.
Below are examples of the winlogbeats config and the logs I'm getting. It's sending all events, but information I would need to filter (drop) a packet is missing. I tried to include the full XML data because I felt that could possibly contain the information I need, but I'm not getting that either. Any thoughts?
winlogbeat.event_logs:
- name: Application
include_xml: true
ignore_older: 72h - name: Security
include_xml: true - name: System
include_xml: true
Here is what a log output looks like:
2018-06-07T18:45:21.482Z la-security-6 The Windows Time service entered the running state.
or:
2018-06-07T18:44:29.856Z la-security-6 Permissions on an object were changed.
Subject:
Security ID: S-1-5-18
Account Name: LA-SECURITY-6$
Account Domain: KINO
Logon ID: 0x3E7
Object:
Object Server: Security
Object Type: Token
Object Name: -
Handle ID: 0x234
Process:
Process ID: 0x20c
Process Name: C:\Windows\System32\services.exe
Permissions Change:
Original Security Descriptor: D:(A;;GA;;;SY)(A;;GA;;;LS)
New Security Descriptor: