- Winlogbeat Reference: other versions:
- Winlogbeat Overview
- Quick start: installation and configuration
- Set up and run
- Upgrade
- Configure
- Winlogbeat
- General settings
- Project paths
- Output
- Kerberos
- SSL
- Index lifecycle management (ILM)
- Elasticsearch index template
- Kibana endpoint
- Kibana dashboards
- Processors
- Define processors
- add_cloud_metadata
- add_cloudfoundry_metadata
- add_docker_metadata
- add_fields
- add_host_metadata
- add_id
- add_kubernetes_metadata
- add_labels
- add_locale
- add_network_direction
- add_nomad_metadata
- add_observer_metadata
- add_process_metadata
- add_tags
- append
- community_id
- convert
- copy_fields
- decode_base64_field
- decode_duration
- decode_json_fields
- decode_xml
- decode_xml_wineventlog
- decompress_gzip_field
- detect_mime_type
- dissect
- dns
- drop_event
- drop_fields
- extract_array
- fingerprint
- include_fields
- move_fields
- rate_limit
- registered_domain
- rename
- replace
- script
- syslog
- timestamp
- translate_ldap_attribute
- translate_sid
- truncate_fields
- urldecode
- Internal queue
- Logging
- HTTP endpoint
- Instrumentation
- winlogbeat.reference.yml
- How to guides
- Modules
- Exported fields
- Monitor
- Secure
- Troubleshoot
- Get Help
- Debug
- Understand logged metrics
- Common problems
- Dashboard in Kibana is breaking up data fields incorrectly
- Bogus computer_name fields are reported in some events
- Error loading config file
- Found unexpected or unknown characters
- Logstash connection doesn’t work
- Publishing to Logstash fails with "connection reset by peer" message
- @metadata is missing in Logstash
- Not sure whether to use Logstash or Beats
- SSL client fails to connect to Logstash
- Monitoring UI shows fewer Beats than expected
- Dashboard could not locate the index-pattern
- High RSS memory usage due to MADV settings
- Not sure how to read from .evtx files
- Contribute to Beats
Fields from the Windows Event Log.
-
event.original
-
The raw XML representation of the event obtained from Windows. This field is only available on operating systems supporting the Windows Event Log API (Microsoft Windows Vista and newer). This field is not included by default and must be enabled by setting
include_xml: true
as a configuration option for an individual event log. The XML representation of the event is useful for troubleshooting purposes. The data in the fields reported by Winlogbeat can be compared to the data in the XML to diagnose problems.
All fields specific to the Windows Event Log are defined here.
-
winlog.api
-
The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "wineventlog-experimental" for its experimental implementation.
required: True
-
winlog.activity_id
-
A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity.
type: keyword
required: False
-
winlog.computer_name
-
The name of the computer that generated the record. When using Windows event forwarding, this name can differ from
agent.hostname
.type: keyword
required: True
-
winlog.computerObject.domain
-
The domain of the account that was added, modified or deleted in the event.
type: keyword
required: False
-
winlog.computerObject.id
-
A globally unique identifier that identifies the target device.
type: keyword
required: False
-
winlog.computerObject.name
-
The account name that was added, modified or deleted in the event.
type: keyword
required: False
-
winlog.event_data
-
The event-specific data. This field is mutually exclusive with
user_data
. If you are capturing event data on versions prior to Windows Vista, the parameters inevent_data
are namedparam1
,param2
, and so on, because event log parameters are unnamed in earlier versions of Windows.type: object
required: False
This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs.
-
winlog.event_data.AuthenticationPackageName
-
type: keyword
-
winlog.event_data.Binary
-
type: keyword
-
winlog.event_data.BitlockerUserInputTime
-
type: keyword
-
winlog.event_data.BootMode
-
type: keyword
-
winlog.event_data.BootType
-
type: keyword
-
winlog.event_data.BuildVersion
-
type: keyword
-
winlog.event_data.CallTrace
-
type: keyword
-
winlog.event_data.ClientInfo
-
type: keyword
-
winlog.event_data.Company
-
type: keyword
-
winlog.event_data.Configuration
-
type: keyword
-
winlog.event_data.CorruptionActionState
-
type: keyword
-
winlog.event_data.CreationUtcTime
-
type: keyword
-
winlog.event_data.Description
-
type: keyword
-
winlog.event_data.Detail
-
type: keyword
-
winlog.event_data.DeviceName
-
type: keyword
-
winlog.event_data.DeviceNameLength
-
type: keyword
-
winlog.event_data.DeviceTime
-
type: keyword
-
winlog.event_data.DeviceVersionMajor
-
type: keyword
-
winlog.event_data.DeviceVersionMinor
-
type: keyword
-
winlog.event_data.DriveName
-
type: keyword
-
winlog.event_data.DriverName
-
type: keyword
-
winlog.event_data.DriverNameLength
-
type: keyword
-
winlog.event_data.DwordVal
-
type: keyword
-
winlog.event_data.EntryCount
-
type: keyword
-
winlog.event_data.EventType
-
type: keyword
-
winlog.event_data.EventNamespace
-
type: keyword
-
winlog.event_data.ExtraInfo
-
type: keyword
-
winlog.event_data.FailureName
-
type: keyword
-
winlog.event_data.FailureNameLength
-
type: keyword
-
winlog.event_data.FileVersion
-
type: keyword
-
winlog.event_data.FinalStatus
-
type: keyword
-
winlog.event_data.GrantedAccess
-
type: keyword
-
winlog.event_data.Group
-
type: keyword
-
winlog.event_data.IdleImplementation
-
type: keyword
-
winlog.event_data.IdleStateCount
-
type: keyword
-
winlog.event_data.ImpersonationLevel
-
type: keyword
-
winlog.event_data.IntegrityLevel
-
type: keyword
-
winlog.event_data.IpAddress
-
type: keyword
-
winlog.event_data.IpPort
-
type: keyword
-
winlog.event_data.KeyLength
-
type: keyword
-
winlog.event_data.LastBootGood
-
type: keyword
-
winlog.event_data.LastShutdownGood
-
type: keyword
-
winlog.event_data.LmPackageName
-
type: keyword
-
winlog.event_data.LogonGuid
-
type: keyword
-
winlog.event_data.LogonId
-
type: keyword
-
winlog.event_data.LogonProcessName
-
type: keyword
-
winlog.event_data.LogonType
-
type: keyword
-
winlog.event_data.MajorVersion
-
type: keyword
-
winlog.event_data.MaximumPerformancePercent
-
type: keyword
-
winlog.event_data.MemberName
-
type: keyword
-
winlog.event_data.MemberSid
-
type: keyword
-
winlog.event_data.MinimumPerformancePercent
-
type: keyword
-
winlog.event_data.MinimumThrottlePercent
-
type: keyword
-
winlog.event_data.MinorVersion
-
type: keyword
-
winlog.event_data.Name
-
type: keyword
-
winlog.event_data.NewProcessId
-
type: keyword
-
winlog.event_data.NewProcessName
-
type: keyword
-
winlog.event_data.NewSchemeGuid
-
type: keyword
-
winlog.event_data.NewThreadId
-
type: keyword
-
winlog.event_data.NewTime
-
type: keyword
-
winlog.event_data.NominalFrequency
-
type: keyword
-
winlog.event_data.Number
-
type: keyword
-
winlog.event_data.OldSchemeGuid
-
type: keyword
-
winlog.event_data.OldTime
-
type: keyword
-
winlog.event_data.Operation
-
type: keyword
-
winlog.event_data.OriginalFileName
-
type: keyword
-
winlog.event_data.Path
-
type: keyword
-
winlog.event_data.PerformanceImplementation
-
type: keyword
-
winlog.event_data.PreviousCreationUtcTime
-
type: keyword
-
winlog.event_data.PreviousTime
-
type: keyword
-
winlog.event_data.PrivilegeList
-
type: keyword
-
winlog.event_data.ProcessId
-
type: keyword
-
winlog.event_data.ProcessName
-
type: keyword
-
winlog.event_data.ProcessPath
-
type: keyword
-
winlog.event_data.ProcessPid
-
type: keyword
-
winlog.event_data.Product
-
type: keyword
-
winlog.event_data.PuaCount
-
type: keyword
-
winlog.event_data.PuaPolicyId
-
type: keyword
-
winlog.event_data.QfeVersion
-
type: keyword
-
winlog.event_data.Query
-
type: keyword
-
winlog.event_data.Reason
-
type: keyword
-
winlog.event_data.SchemaVersion
-
type: keyword
-
winlog.event_data.ScriptBlockText
-
type: keyword
-
winlog.event_data.ServiceName
-
type: keyword
-
winlog.event_data.ServiceVersion
-
type: keyword
-
winlog.event_data.Session
-
type: keyword
-
winlog.event_data.ShutdownActionType
-
type: keyword
-
winlog.event_data.ShutdownEventCode
-
type: keyword
-
winlog.event_data.ShutdownReason
-
type: keyword
-
winlog.event_data.Signature
-
type: keyword
-
winlog.event_data.SignatureStatus
-
type: keyword
-
winlog.event_data.Signed
-
type: keyword
-
winlog.event_data.StartAddress
-
type: keyword
-
winlog.event_data.StartFunction
-
type: keyword
-
winlog.event_data.StartModule
-
type: keyword
-
winlog.event_data.StartTime
-
type: keyword
-
winlog.event_data.State
-
type: keyword
-
winlog.event_data.Status
-
type: keyword
-
winlog.event_data.StopTime
-
type: keyword
-
winlog.event_data.SubjectDomainName
-
type: keyword
-
winlog.event_data.SubjectLogonId
-
type: keyword
-
winlog.event_data.SubjectUserName
-
type: keyword
-
winlog.event_data.SubjectUserSid
-
type: keyword
-
winlog.event_data.TSId
-
type: keyword
-
winlog.event_data.TargetDomainName
-
type: keyword
-
winlog.event_data.TargetImage
-
type: keyword
-
winlog.event_data.TargetInfo
-
type: keyword
-
winlog.event_data.TargetLogonGuid
-
type: keyword
-
winlog.event_data.TargetLogonId
-
type: keyword
-
winlog.event_data.TargetProcessGUID
-
type: keyword
-
winlog.event_data.TargetProcessId
-
type: keyword
-
winlog.event_data.TargetServerName
-
type: keyword
-
winlog.event_data.TargetUserName
-
type: keyword
-
winlog.event_data.TargetUserSid
-
type: keyword
-
winlog.event_data.TerminalSessionId
-
type: keyword
-
winlog.event_data.TokenElevationType
-
type: keyword
-
winlog.event_data.TransmittedServices
-
type: keyword
-
winlog.event_data.Type
-
type: keyword
-
winlog.event_data.UserSid
-
type: keyword
-
winlog.event_data.Version
-
type: keyword
-
winlog.event_data.Workstation
-
type: keyword
-
winlog.event_data.param1
-
type: keyword
-
winlog.event_data.param2
-
type: keyword
-
winlog.event_data.param3
-
type: keyword
-
winlog.event_data.param4
-
type: keyword
-
winlog.event_data.param5
-
type: keyword
-
winlog.event_data.param6
-
type: keyword
-
winlog.event_data.param7
-
type: keyword
-
winlog.event_data.param8
-
type: keyword
-
winlog.event_id
-
The event identifier. The value is specific to the source of the event.
type: keyword
required: True
-
winlog.keywords
-
The keywords are used to classify an event.
type: keyword
required: False
-
winlog.channel
-
The name of the channel from which this record was read. This value is one of the names from the
event_logs
collection in the configuration.type: keyword
required: True
-
winlog.record_id
-
The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (232 for the Event Logging API and 264 for the Windows Event Log API), the next record number will be 0.
type: keyword
required: True
-
winlog.related_activity_id
-
A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their
activity_id
identifier.type: keyword
required: False
-
winlog.opcode
-
The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged.
type: keyword
required: False
-
winlog.provider_guid
-
A globally unique identifier that identifies the provider that logged the event.
type: keyword
required: False
-
winlog.process.pid
-
The process_id of the Client Server Runtime Process.
type: long
required: False
-
winlog.provider_name
-
The source of the event log record (the application or service that logged the record).
type: keyword
required: True
-
winlog.task
-
The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field.
type: keyword
required: False
-
winlog.time_created
-
The event creation time.
type: date
required: False
-
winlog.trustAttribute
-
The decimal value of attributes for new trust created to a domain.
type: keyword
required: False
-
winlog.trustDirection
-
The direction of new trust created to a domain. Possible values are
TRUST_DIRECTION_DISABLED
,TRUST_DIRECTION_INBOUND
,TRUST_DIRECTION_OUTBOUND
andTRUST_DIRECTION_BIDIRECTIONAL
type: keyword
required: False
-
winlog.trustType
-
The account name that was added, modified or deleted in the event. Possible values are
TRUST_TYPE_DOWNLEVEL
,TRUST_TYPE_UPLEVEL
,TRUST_TYPE_MIT
andTRUST_TYPE_DCE
type: keyword
required: False
-
winlog.process.thread.id
-
type: long
required: False
-
winlog.user_data
-
The event specific data. This field is mutually exclusive with
event_data
.type: object
required: False
-
winlog.user.identifier
-
The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the
user.name
,user.domain
, anduser.type
fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be.type: keyword
example: S-1-5-21-3541430928-2051711210-1391384369-1001
required: False
-
winlog.user.name
-
Name of the user associated with this event.
type: keyword
-
winlog.user.domain
-
The domain that the account associated with this event is a member of.
type: keyword
required: False
-
winlog.user.type
-
The type of account associated with this event.
type: keyword
required: False
-
winlog.version
-
The version number of the event’s definition.
type: long
required: False
On this page