- Winlogbeat Reference: other versions:
- Overview
- Get started
- Set up and run
- Upgrade
- Configure
- Winlogbeat
- General settings
- Project paths
- Output
- SSL
- Index lifecycle management (ILM)
- Elasticsearch index template
- Kibana endpoint
- Kibana dashboards
- Processors
- Define processors
- add_cloud_metadata
- add_docker_metadata
- add_fields
- add_host_metadata
- add_id
- add_kubernetes_metadata
- add_labels
- add_locale
- add_observer_metadata
- add_process_metadata
- add_tags
- community_id
- convert
- copy_fields
- decode_base64_field
- decode_json_fields
- decompress_gzip_field
- dissect
- dns
- drop_event
- drop_fields
- extract_array
- fingerprint
- include_fields
- registered_domain
- rename
- script
- timestamp
- truncate_fields
- Internal queue
- Logging
- HTTP endpoint
- winlogbeat.reference.yml
- How to guides
- Modules
- Exported fields
- Monitor
- Secure
- Troubleshoot
- Get Help
- Debug
- Common problems
- Dashboard in Kibana is breaking up data fields incorrectly
- Bogus computer_name fields are reported in some events
- Error loading config file
- Found unexpected or unknown characters
- Logstash connection doesn’t work
- @metadata is missing in Logstash
- Not sure whether to use Logstash or Beats
- SSL client fails to connect to Logstash
- Monitoring UI shows fewer Beats than expected
- Not sure how to read from .evtx files
- Contribute to Beats
IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Security Module
editSecurity Module
editThis functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
The security module processes event log records from the Security log.
The module has transformations for the following event IDs:
- 4624 - An account was successfully logged on.
- 4625 - An account failed to log on.
- 4634 - An account was logged off.
- 4647 - User initiated logoff (interactive logon types).
- 4648 - A logon was attempted using explicit credentials.
- 4672 - Special privileges assigned to new logon.
- 4688 - A new process has been created.
- 4689 - A process has exited.
- 4720 - A user account was created.
- 4722 - A user account was enabled.
- 4723 - An attempt was made to change an account’s password.
- 4724 - An attempt was made to reset an account’s password.
- 4725 - An user account was disabled.
- 4726 - An user account was deleted.
- 4738 - An user account was changed.
- 4740 - An user account was locked out.
- 4767 - An account was unlocked.
- 4781 - The name of an account was changed.
More event IDs will be added.
Configuration
editwinlogbeat.event_logs: - name: Security processors: - script: lang: javascript id: security file: ${path.home}/module/security/config/winlogbeat-security.js
On this page
Was this helpful?
Thank you for your feedback.