Wrong parsed field

Jan_Kaspar · June 20, 2019, 7:42pm

Hello,

i am using WinLogBeat 7.1.1 (but it do not work in previous version too) and there is wrong parsed field winlog.event_data.FailureReason

   	t  winlog.computer_name	SomeServer1
   	t  winlog.event_data.AuthenticationPackageName	Negotiate
 	?  **winlog.event_data.FailureReason	  %%2313**
   	t  winlog.event_data.IpAddress	127.0.0.1
   	t  winlog.event_data.IpPort	0
   	t  winlog.event_data.KeyLength	0

Can you fix this please? For now I have written my own rule to parse this information.

Thanks

Jan

andrewkroh · June 20, 2019, 8:28pm

It's not that Winlogbeat is parsing the anything wrong. This is exactly what Windows provides callers of the API to receive events. We have an issue open to enhance Winlogbeat with the ability to enrich events with a conversion of these codes to strings. See https://github.com/elastic/beats/issues/11539.

system · July 18, 2019, 8:30pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.