- Winlogbeat Reference: other versions:
- Winlogbeat Overview
- Quick start: installation and configuration
- Set up and run
- Upgrade
- Configure
- Winlogbeat
- General settings
- Project paths
- Output
- Kerberos
- SSL
- Index lifecycle management (ILM)
- Elasticsearch index template
- Kibana endpoint
- Kibana dashboards
- Processors
- Define processors
- add_cloud_metadata
- add_cloudfoundry_metadata
- add_docker_metadata
- add_fields
- add_host_metadata
- add_id
- add_kubernetes_metadata
- add_labels
- add_locale
- add_network_direction
- add_nomad_metadata
- add_observer_metadata
- add_process_metadata
- add_tags
- append
- community_id
- convert
- copy_fields
- decode_base64_field
- decode_duration
- decode_json_fields
- decode_xml
- decode_xml_wineventlog
- decompress_gzip_field
- detect_mime_type
- dissect
- dns
- drop_event
- drop_fields
- extract_array
- fingerprint
- include_fields
- move_fields
- rate_limit
- registered_domain
- rename
- replace
- script
- syslog
- timestamp
- translate_ldap_attribute
- translate_sid
- truncate_fields
- urldecode
- Internal queue
- Logging
- HTTP endpoint
- Instrumentation
- winlogbeat.reference.yml
- How to guides
- Modules
- Exported fields
- Monitor
- Secure
- Troubleshoot
- Get Help
- Debug
- Understand logged metrics
- Common problems
- Dashboard in Kibana is breaking up data fields incorrectly
- Bogus computer_name fields are reported in some events
- Error loading config file
- Found unexpected or unknown characters
- Logstash connection doesn’t work
- Publishing to Logstash fails with "connection reset by peer" message
- @metadata is missing in Logstash
- Not sure whether to use Logstash or Beats
- SSL client fails to connect to Logstash
- Monitoring UI shows fewer Beats than expected
- Dashboard could not locate the index-pattern
- High RSS memory usage due to MADV settings
- Not sure how to read from .evtx files
- Contribute to Beats
These are the event fields specific to the module for the Microsoft-Windows-PowerShell/Operational and Windows PowerShell logs.
-
powershell.id
-
Shell Id.
type: keyword
example: Microsoft Powershell
-
powershell.pipeline_id
-
Pipeline id.
type: keyword
example: 1
-
powershell.runspace_id
-
Runspace id.
type: keyword
example: 4fa9074d-45ab-4e53-9195-e91981ac2bbb
-
powershell.sequence
-
Sequence number of the powershell execution.
type: long
example: 1
-
powershell.total
-
Total number of messages in the sequence.
type: long
example: 10
Data related to the executed command.
-
powershell.command.path
-
Path of the executed command.
type: keyword
example: C:\Windows\system32\cmd.exe
-
powershell.command.name
-
Name of the executed command.
type: keyword
example: cmd.exe
-
powershell.command.type
-
Type of the executed command.
type: keyword
example: Application
-
powershell.command.value
-
The invoked command.
type: text
example: Import-LocalizedData LocalizedData -filename ArchiveResources
-
powershell.command.invocation_details
-
An array of objects containing detailed information of the executed command.
type: array
-
powershell.command.invocation_details.type
-
The type of detail.
type: keyword
example: CommandInvocation
-
powershell.command.invocation_details.related_command
-
The command to which the detail is related to.
type: keyword
example: Add-Type
-
powershell.command.invocation_details.name
-
Only used for ParameterBinding detail type. Indicates the parameter name.
type: keyword
example: AssemblyName
-
powershell.command.invocation_details.value
-
The value of the detail. The meaning of it will depend on the detail type.
type: text
example: System.IO.Compression.FileSystem
Data related to the connected user executing the command.
-
powershell.connected_user.domain
-
User domain.
type: keyword
example: VAGRANT
-
powershell.connected_user.name
-
User name.
type: keyword
example: vagrant
Data related to the PowerShell engine.
-
powershell.engine.version
-
Version of the PowerShell engine version used to execute the command.
type: keyword
example: 5.1.17763.1007
-
powershell.engine.previous_state
-
Previous state of the PowerShell engine.
type: keyword
example: Available
-
powershell.engine.new_state
-
New state of the PowerShell engine.
type: keyword
example: Stopped
Data related to the executed script file.
-
powershell.file.script_block_id
-
Id of the executed script block.
type: keyword
example: 50d2dbda-7361-4926-a94d-d9eadfdb43fa
-
powershell.file.script_block_text
-
Text of the executed script block.
type: text
example: .\a_script.ps1
-
powershell.process.executable_version
-
Version of the engine hosting process executable.
type: keyword
example: 5.1.17763.1007
Data related to the PowerShell engine host.
-
powershell.provider.new_state
-
New state of the PowerShell provider.
type: keyword
example: Active
-
powershell.provider.name
-
Provider name.
type: keyword
example: Variable
On this page