- Winlogbeat Reference: other versions:
- Overview
- Get started
- Set up and run
- Upgrade
- Configure
- Winlogbeat
- General settings
- Project paths
- Output
- SSL
- Index lifecycle management (ILM)
- Elasticsearch index template
- Kibana endpoint
- Kibana dashboards
- Processors
- Define processors
- add_cloud_metadata
- add_docker_metadata
- add_fields
- add_host_metadata
- add_id
- add_kubernetes_metadata
- add_labels
- add_locale
- add_observer_metadata
- add_process_metadata
- add_tags
- community_id
- convert
- copy_fields
- decode_base64_field
- decode_json_fields
- decompress_gzip_field
- dissect
- dns
- drop_event
- drop_fields
- extract_array
- fingerprint
- include_fields
- registered_domain
- rename
- script
- timestamp
- truncate_fields
- Internal queue
- Logging
- HTTP endpoint
- winlogbeat.reference.yml
- How to guides
- Modules
- Exported fields
- Monitor
- Secure
- Troubleshoot
- Get Help
- Debug
- Common problems
- Dashboard in Kibana is breaking up data fields incorrectly
- Bogus computer_name fields are reported in some events
- Error loading config file
- Found unexpected or unknown characters
- Logstash connection doesn’t work
- @metadata is missing in Logstash
- Not sure whether to use Logstash or Beats
- SSL client fails to connect to Logstash
- Monitoring UI shows fewer Beats than expected
- Not sure how to read from .evtx files
- Contribute to Beats
IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Security module fields
editSecurity module fields
editThese are the event fields specific to the module for the Security log.
winlog.logon
editData related to a Windows logon.
-
winlog.logon.type -
Logon type name. This is the descriptive version of the
winlog.event_data.LogonTypeordinal. This is an enrichment added by the Security module.type: keyword
example: RemoteInteractive
-
winlog.logon.id -
Logon ID that can be used to associate this logon with other events related to the same logon session.
type: keyword
-
winlog.logon.failure.reason -
The reason the logon failed.
type: keyword
-
winlog.logon.failure.status -
The reason the logon failed. This is textual description based on the value of the hexadecimal
Statusfield.type: keyword
-
winlog.logon.failure.sub_status -
Additional information about the logon failure. This is a textual description based on the value of the hexidecimal
SubStatusfield.type: keyword
On this page
Was this helpful?
Thank you for your feedback.