WARNING: Version 5.6 of Winlogbeat has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
Event Log Record Fields
editEvent Log Record Fields
editContains data from a Windows event log record.
activity_id
edittype: keyword
required: False
A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity.
computer_name
edittype: keyword
required: True
The name of the computer that generated the record. When using Windows event forwarding, this name can differ from the beat.hostname
.
event_data
edittype: dict
required: False
The event-specific data. This field is mutually exclusive with user_data
. If you are capturing event data on versions prior to Windows Vista, the parameters in event_data
are named param1
, param2
, and so on, because event log parameters are unnamed in earlier versions of Windows.
event_id
edittype: long
required: True
The event identifier. The value is specific to the source of the event.
keywords
edittype: keyword
required: False
The keywords are used to classify an event.
log_name
edittype: keyword
required: True
The name of the event log from which this record was read. This value is one of the names from the event_logs
collection in the configuration.
level
edittype: keyword
required: False
The level of the event. There are five levels of events that can be logged: Success, Information, Warning, Error, Audit Success, and Audit Failure.
message
edittype: text
required: False
The message from the event log record.
message_error
edittype: keyword
required: False
The error that occurred while reading and formatting the message from the log.
record_number
edittype: keyword
required: True
The record number of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (232 for the Event Logging API and 264 for the Windows Event Log API), the next record number will be 0.
related_activity_id
edittype: keyword
required: False
A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their activity_id
identifier.
opcode
edittype: keyword
required: False
The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged.
provider_guid
edittype: keyword
required: False
A globally unique identifier that identifies the provider that logged the event.
process_id
edittype: long
required: False
The process_id identifies the process that generated the event.
source_name
edittype: keyword
required: True
The source of the event log record (the application or service that logged the record).
task
edittype: keyword
required: False
The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field.
thread_id
edittype: long
required: False
The thread_id identifies the thread that generated the event.
user_data
edittype: dict
required: False
The event specific data. This field is mutually exclusive with event_data
.
user.identifier
edittype: keyword
example: S-1-5-21-3541430928-2051711210-1391384369-1001
required: False
The Windows security identifier (SID) of the account associated with this event.
If Winlogbeat cannot resolve the SID to a name, then the user.name
, user.domain
, and user.type
fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be.
user.name
edittype: keyword
required: False
The name of the account associated with this event.
user.domain
edittype: keyword
required: False
The domain that the account associated with this event is a member of.
user.type
edittype: keyword
required: False
The type of account associated with this event.
version
edittype: long
required: False
The version number of the event’s definition.
xml
edittype: text
required: False
The raw XML representation of the event obtained from Windows. This field is only available on operating systems supporting the Windows Event Log API (Microsoft Windows Vista and newer). This field is not included by default and must be enabled by setting include_xml: true
as a configuration option for an individual event log.
The XML representation of the event is useful for troubleshooting purposes. The data in the fields reported by Winlogbeat can be compared to the data in the XML to diagnose problems.