Windows Event Log fields emitted by Winlogbeat fields | Winlogbeat Reference [7.3]

IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

› ›

« Process fields Monitoring Winlogbeat »

Windows Event Log fields emitted by Winlogbeat fieldsedit

Fields from the Windows Event Log.

log.file.path

The name of the file the event was read from when Winlogbeat is reading directly from an .evtx file.

type: keyword

required: False

event.code

The code for this log message (Windows event ID).

type: keyword

required: False

event.original

The raw XML representation of the event obtained from Windows. This field is only available on operating systems supporting the Windows Event Log API (Microsoft Windows Vista and newer). This field is not included by default and must be enabled by setting include_xml: true as a configuration option for an individual event log. The XML representation of the event is useful for troubleshooting purposes. The data in the fields reported by Winlogbeat can be compared to the data in the XML to diagnose problems.

winlogedit

All fields specific to the Windows Event Log are defined here.

winlog.api

The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs.

required: True

winlog.activity_id

A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity.

type: keyword

required: False

winlog.computer_name

The name of the computer that generated the record. When using Windows event forwarding, this name can differ from agent.hostname.

type: keyword

required: True

winlog.event_data

The event-specific data. This field is mutually exclusive with user_data. If you are capturing event data on versions prior to Windows Vista, the parameters in event_data are named param1, param2, and so on, because event log parameters are unnamed in earlier versions of Windows.

type: object

required: False

winlog.event_id

The event identifier. The value is specific to the source of the event.

type: keyword

required: True

winlog.keywords

The keywords are used to classify an event.

type: keyword

required: False

winlog.channel

The name of the channel from which this record was read. This value is one of the names from the event_logs collection in the configuration.

type: keyword

required: True

winlog.record_id

The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2³² for the Event Logging API and 2⁶⁴ for the Windows Event Log API), the next record number will be 0.

type: keyword

required: True

winlog.related_activity_id

A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their activity_id identifier.

type: keyword

required: False

winlog.opcode

The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged.

type: keyword

required: False

winlog.provider_guid

A globally unique identifier that identifies the provider that logged the event.

type: keyword

required: False

winlog.process.pid

The process_id of the Client Server Runtime Process.

type: long

required: False

winlog.provider_name

The source of the event log record (the application or service that logged the record).

type: keyword

required: True

winlog.task

The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field.

type: keyword

required: False

winlog.process.thread.id

type: long

required: False

winlog.user_data

The event specific data. This field is mutually exclusive with event_data.

type: object

required: False

winlog.user.identifier

The Windows security identifier (SID) of the account associated with this event.

If Winlogbeat cannot resolve the SID to a name, then the user.name, user.domain, and user.type fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be.

type: keyword

example: S-1-5-21-3541430928-2051711210-1391384369-1001

required: False

winlog.user.domain

The domain that the account associated with this event is a member of.

type: keyword

required: False

winlog.user.type

The type of account associated with this event.

type: keyword

required: False

winlog.version

The version number of the event’s definition.

type: long

required: False

« Process fields Monitoring Winlogbeat »