This documentation contains work-in-progress information for future Elastic Stack and Cloud releases. Use the version selector to view supported release docs. It also contains some Elastic Cloud serverless information. Check out our serverless docs for more details.
« Process fields Sysmon module fields »
Elastic Docs Winlogbeat Reference [master] Exported fields

Security module fields

Security module fields

These are the event fields specific to the module for the Security log.

winlog.logon

Data related to a Windows logon.

winlog.logon.type

Logon type name. This is the descriptive version of the winlog.event_data.LogonType ordinal. This is an enrichment added by the Security module.

type: keyword

example: RemoteInteractive

winlog.logon.id

Logon ID that can be used to associate this logon with other events related to the same logon session.

type: keyword

winlog.logon.failure.reason

The reason the logon failed.

type: keyword

winlog.logon.failure.status

The reason the logon failed. This is textual description based on the value of the hexadecimal Status field.

type: keyword

winlog.logon.failure.sub_status

Additional information about the logon failure. This is a textual description based on the value of the hexidecimal SubStatus field.

type: keyword

« Process fields Sysmon module fields »