Wrong parsed field

Jan_Kaspar · June 20, 2019, 7:42pm

Hello,

i am using WinLogBeat 7.1.1 (but it do not work in previous version too) and there is wrong parsed field winlog.event_data.FailureReason

   	t  winlog.computer_name	SomeServer1
   	t  winlog.event_data.AuthenticationPackageName	Negotiate
 	?  **winlog.event_data.FailureReason	  %%2313**
   	t  winlog.event_data.IpAddress	127.0.0.1
   	t  winlog.event_data.IpPort	0
   	t  winlog.event_data.KeyLength	0

Can you fix this please? For now I have written my own rule to parse this information.

Thanks

Jan

andrewkroh · June 20, 2019, 8:28pm

It's not that Winlogbeat is parsing the anything wrong. This is exactly what Windows provides callers of the API to receive events. We have an issue open to enhance Winlogbeat with the ability to enrich events with a conversion of these codes to strings. See https://github.com/elastic/beats/issues/11539.

system · July 18, 2019, 8:30pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Winlogbeat data is not parsing properly Beats winlogbeat	9	1357	June 7, 2020
Problem with parsing 'message' field in Winlogbeat Beats winlogbeat	1	282	March 26, 2021
Elastic parsing error field type format incorrect Beats winlogbeat	2	375	May 3, 2023
Winlogbeat experimental api missmatch between paresed fields and rendered event Beats winlogbeat	5	331	May 25, 2022
Winlogbeat not all events are parsed Beats winlogbeat	2	830	April 26, 2019

Wrong parsed field

Related topics