This documentation contains work-in-progress information for future Elastic Stack and Cloud releases. Use the version selector to view supported release docs. It also contains some Elastic Cloud serverless information. Check out our serverless docs for more details.
These are the event fields specific to the module for the Security log.
Data related to a Windows logon.
-
winlog.logon.type
-
Logon type name. This is the descriptive version of the
winlog.event_data.LogonType
ordinal. This is an enrichment added by the Security module.type: keyword
example: RemoteInteractive
-
winlog.logon.id
-
Logon ID that can be used to associate this logon with other events related to the same logon session.
type: keyword
-
winlog.logon.failure.reason
-
The reason the logon failed.
type: keyword
-
winlog.logon.failure.status
-
The reason the logon failed. This is textual description based on the value of the hexadecimal
Status
field.type: keyword
-
winlog.logon.failure.sub_status
-
Additional information about the logon failure. This is a textual description based on the value of the hexidecimal
SubStatus
field.type: keyword