Winlogbeat Rename Fields

[andrewkroh]

• Changed from lower-camel-case field names to underscore separate field names.
• Renamed event_log_name to log_name.

For reference and review purposes, here is an example event.

From the Windows Event Viewer (right-click -> "copy details as text"):

Log Name:      System
Source:        Service Control Manager
Date:          1/11/2016 4:35:09 PM
Event ID:      7036
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      bert
Description:
The winlogbeat service entered the running state.

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
    <EventID Qualifiers="16384">7036</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8080000000000000</Keywords>
    <TimeCreated SystemTime="2016-01-11T21:35:09.417973800Z" />
    <EventRecordID>4067</EventRecordID>
    <Correlation />
    <Execution ProcessID="656" ThreadID="1028" />
    <Channel>System</Channel>
    <Computer>bert</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="param1">winlogbeat</Data>
    <Data Name="param2">running</Data>
    <Binary>770069006E006C006F00670062006500610074002F0034000000</Binary>
  </EventData>
</Event>

Winlogbeat Event JSON:

{
   "@timestamp":"2016-01-11T21:35:09.417Z",
   "beat":{
      "hostname":"bert",
      "name":"bert"
   },
   "computer_name":"bert",
   "count":1,
   "event_id":7036,
   "level":"Information",
   "log_name":"System",
   "message":"The winlogbeat service entered the running state.",
   "record_number":"4067",
   "source_name":"Service Control Manager",
   "type":"wineventlog"
}

[tsg]

LGTM, merging.

[nellicus]

is there a plan to include all the other fields other than Description?
This will be heavily used in SIEM space and info from other fields would be required.

[andrewkroh]

It might help clarify by showing a slightly more complex event with more parameters (see below). All the event data (with the exception of "Binary" fields) is included as part of the message field.

However, after looking more closely at the data, there are a few missing fields that could be useful and I am now considering adding them.

Missing Fields
Task (as an int)
Level (as an int)
Correlation
Execution.ProcessID
Execution.ThreadID
Keywords
Opcode
Provider GUID
ActivityID
RelatedActivityID

From the Windows Event Viewer (right-click -> "copy details as text"):

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          1/18/2016 12:00:00 AM
Event ID:      4624
Task Category: Logon
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      bert
Description:
An account was successfully logged on.

Subject:
    Security ID:        SYSTEM
    Account Name:       BERT$
    Account Domain:     WORKGROUP
    Logon ID:       0x3e7

Logon Type:         5

New Logon:
    Security ID:        SYSTEM
    Account Name:       SYSTEM
    Account Domain:     NT AUTHORITY
    Logon ID:       0x3e7
    Logon GUID:     {00000000-0000-0000-0000-000000000000}

Process Information:
    Process ID:     0x280
    Process Name:       C:\Windows\System32\services.exe

Network Information:
    Workstation Name:   
    Source Network Address: -
    Source Port:        -

Detailed Authentication Information:
    Logon Process:      Advapi  
    Authentication Package: Negotiate
    Transited Services: -
    Package Name (NTLM only):   -
    Key Length:     0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
    - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
    - Transited services indicate which intermediate services have participated in this logon request.
    - Package name indicates which sub-protocol was used among the NTLM protocols.
    - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4624</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12544</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2016-01-18T05:00:00.711574700Z" />
    <EventRecordID>7937</EventRecordID>
    <Correlation />
    <Execution ProcessID="652" ThreadID="2644" />
    <Channel>Security</Channel>
    <Computer>bert</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-5-18</Data>
    <Data Name="SubjectUserName">BERT$</Data>
    <Data Name="SubjectDomainName">WORKGROUP</Data>
    <Data Name="SubjectLogonId">0x3e7</Data>
    <Data Name="TargetUserSid">S-1-5-18</Data>
    <Data Name="TargetUserName">SYSTEM</Data>
    <Data Name="TargetDomainName">NT AUTHORITY</Data>
    <Data Name="TargetLogonId">0x3e7</Data>
    <Data Name="LogonType">5</Data>
    <Data Name="LogonProcessName">Advapi  </Data>
    <Data Name="AuthenticationPackageName">Negotiate</Data>
    <Data Name="WorkstationName">
    </Data>
    <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
    <Data Name="TransmittedServices">-</Data>
    <Data Name="LmPackageName">-</Data>
    <Data Name="KeyLength">0</Data>
    <Data Name="ProcessId">0x280</Data>
    <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
    <Data Name="IpAddress">-</Data>
    <Data Name="IpPort">-</Data>
  </EventData>
</Event>

Winlogbeat Event JSON (with escaped tabs and newlines removed for display purposes):

{  
  "@timestamp":"2016-01-18T05:00:00.711Z",
  "beat":{  
    "hostname":"bert",
    "name":"bert"
  },
  "category":"Logon",
  "computer_name":"bert",
  "count":1,
  "event_id":4624,
  "level":"Information",
  "log_name":"Security",
  "message":"   An account was successfully logged on.

Subject:
    Security ID:        S-1-5-18
    Account Name:       BERT$
    Account Domain:     WORKGROUP
    Logon ID:       0x3e7

Logon Type:         5

New Logon:
    Security ID:        S-1-5-18
    Account Name:       SYSTEM
    Account Domain:     NT AUTHORITY
    Logon ID:       0x3e7
    Logon GUID:     {00000000-0000-0000-0000-000000000000}

Process Information:
    Process ID:     0x280
    Process Name:       C:\Windows\System32\services.exe

Network Information:
    Workstation Name:   
    Source Network Address: -
    Source Port:        -

Detailed Authentication Information:
    Logon Process:      Advapi  
    Authentication Package: Negotiate
    Transited Services: -
    Package Name (NTLM only):   -
    Key Length:     0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
    - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
    - Transited services indicate which intermediate services have participated in this logon request.
    - Package name indicates which sub-protocol was used among the NTLM protocols.
    - Key length indicates the length of the generated session key. This will be 0 if no session key was requested..",
  "record_number":"7937",
  "source_name":"Microsoft-Windows-Security-Auditing",
  "type":"wineventlog"
}

[nellicus]

it does help! thanks @andrewkroh

[elvarb]

The field names are vastly different for each event type, so it would be best to include all extended fields an leave it up to the user to filter out those fields not needed when it reaches Logstash.

[jkjepson]

This would be great! Missing the keywords currently...

[andrewkroh]

@jkjepson Subscribe to issue #1053 for updates. I'm working on this now (keywords included).

[jkjepson]

Thanks, will do!