WARNING: Version 1.2 of Winlogbeat has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
Event Log Record Fieldsedit
Contains data from a Windows event log record.
computer_nameedit
type: string
required: True
The name of the computer that generated the record. When using Windows event forwarding, this name can differ from the beat.hostname.
categoryedit
type: string
required: False
The category for this event. The meaning of this value depends on the source of the event.
event_idedit
type: long
required: True
The event identifier. The value is specific to the source of the event.
log_nameedit
type: string
required: True
The name of the event log from which this record was read. This value is one of the names from the event_logs collection in the configuration.
leveledit
type: string
required: True
The level of the event. There are five levels of events that can be logged: Success, Information, Warning, Error, Audit Success, and Audit Failure.
message_erroredit
type: string
required: False
The error that occurred while reading and formatting the message from the log. This field is mutually exclusive with message.
message_insertsedit
type: list
required: False
The raw message data logged by an application. Normally this data is inserted into a parameterized string to create message, but in case of an error, Winlogbeat attempts to provide this raw data. This field is mutually exclusive with message.
record_numberedit
type: string
required: True
The record number of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (232 for the Event Logging API and 264 for the Windows Event Log API), the next record number will be 0.
source_nameedit
type: string
required: True
The source of the event log record (the application or service that logged the record).
user.identifieredit
type: string
example: S-1-5-21-3541430928-2051711210-1391384369-1001
required: False
The Windows security identifier (SID) of the account associated with this event.
If Winlogbeat cannot resolve the SID to a name, then the user.name, user.domain, and user.type fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be.
user.domainedit
type: string
required: False
The domain that the account associated with this event is a member of.