IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Security module fields
editSecurity module fields
editThese are the event fields specific to the module for the Security log.
winlog.logon
editData related to a Windows logon.
-
winlog.logon.type
-
Logon type name. This is the descriptive version of the
winlog.event_data.LogonType
ordinal. This is an enrichment added by the Security module.type: keyword
example: RemoteInteractive
-
winlog.logon.id
-
Logon ID that can be used to associate this logon with other events related to the same logon session.
type: keyword
-
winlog.logon.failure.reason
-
The reason the logon failed.
type: keyword
-
winlog.logon.failure.status
-
The reason the logon failed. This is textual description based on the value of the hexadecimal
Status
field.type: keyword
-
winlog.logon.failure.sub_status
-
Additional information about the logon failure. This is a textual description based on the value of the hexidecimal
SubStatus
field.type: keyword