andrewkroh/winlobeat-events.md Secret

## winlobeat-events.md

      
    Raw
  

              winlobeat-events.md
            
          
    This document shows some example Winlogbeat events generated from
v5.
The XML representation of the event as provided by Windows is shown as well as
the JSON representation generated by Winlogbeat.
Pull Request
Event with Named EventData

The "EventData" is added to the Winlogbeat JSON as a dictionary named
event_data. Each element under EventData becomes a key-value member of the
event_data dictionary.
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}"/>
    <EventID>4634</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12545</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2015-01-13T09:33:15.812714500Z"/>
    <EventRecordID>193</EventRecordID>
    <Correlation/>
    <Execution ProcessID="452" ThreadID="484"/>
    <Channel>Security</Channel>
    <Computer>vagrant-2012-r2</Computer>
    <Security/>
  </System>
  <EventData>
    <Data Name="TargetUserSid">S-1-5-21-3541430928-2051711210-1391384369-1001</Data>
    <Data Name="TargetUserName">vagrant</Data>
    <Data Name="TargetDomainName">VAGRANT-2012-R2</Data>
    <Data Name="TargetLogonId">0x837f2</Data>
    <Data Name="LogonType">8</Data>
  </EventData>
  <RenderingInfo Culture="en-US">
    <Message>An account 
was logged off.

Subject:
    Security ID:        S-1-5-21-3541430928-2051711210-1391384369-1001
    Account Name:        vagrant
    Account Domain:        VAGRANT-2012-R2
    Logon ID:        0x837F2      

Logon Type:            8

This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same
computer.</Message>
    <Level>Information</Level>
    <Task>Logoff</Task>
    <Opcode>Info</Opcode>
    <Channel>Security</Channel>
    <Provider>Microsoft Windows security auditing.</Provider>
    <Keywords>
      <Keyword>Audit 
Success</Keyword>
    </Keywords>
  </RenderingInfo>
</Event>
{
  "@timestamp": "2015-01-13T09:33:15.812Z",
  "beat": {
    "hostname": "vagrant-2012-r2",
    "name": "vagrant-2012-r2"
  },
  "computer_name": "vagrant-2012-r2",
  "count": 1,
  "event_data": {
    "LogonType": "8",
    "TargetDomainName": "VAGRANT-2012-R2",
    "TargetLogonId": "0x837f2",
    "TargetUserName": "vagrant",
    "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001"
  },
  "event_id": 4634,
  "keywords": [
    "Audit Success"
  ],
  "level": "Information",
  "log_name": "Security",
  "message": "An account was logged off.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-3541430928-2051711210-1391384369-1001\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT-2012-R2\n\tLogon ID:\t\t0x837F2\n\nLogon Type:\t\t\t8\n\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.",
  "opcode": "Info",
  "process_id": 452,
  "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
  "record_number": "193",
  "source_name": "Microsoft-Windows-Security-Auditing",
  "task": "Logoff",
  "thread_id": 484,
  "type": "wineventlog"
}
Event with UserData

The "UserData" is added to the Winlogbeat JSON as a dictionary named
user_data. Winlogbeat makes an assumption about the structure of the
UserData XML schema in order to map the data into a dictionary. It assumes
that UserData will contain one inner element, and that inner element with
contain 0 or more elements that can be mapped into key-value pairs. Each of the
key-value pairs becomes a member of the user_data dictionary.
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Application-Experience" Guid="{EEF54E71-0661-422D-9A98-82FD4940B820}"/>
    <EventID>800</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x400000000000000</Keywords>
    <TimeCreated SystemTime="2016-03-14T12:52:07.138522100Z"/>
    <EventRecordID>3</EventRecordID>
    <Correlation/>
    <Execution ProcessID="2724" ThreadID="1448"/>
    <Channel>Microsoft-Windows-Application-Experience/Program-Inventory</Channel>
    <Computer>vagrant-2012-r2</Computer>
    <Security UserID="S-1-5-18"/>
  </System>
  <UserData>
    <SessionInfoEvent xmlns="http://www.microsoft.com/Windows/Diagnosis/PDU/events">
      <StartTime>2016-03-14T12:52:04.591934900Z</StartTime>
      <StopTime>2016-03-14T12:52:07.138522100Z</StopTime>
      <ExitCode>221</ExitCode>
      <NumNewPrograms>1</NumNewPrograms>
      <NumRemovedPrograms>1</NumRemovedPrograms>
      <NumUpdatedPrograms>0</NumUpdatedPrograms>
      <NumInstalledPrograms>17</NumInstalledPrograms>
      <NumNewOrphans>0</NumNewOrphans>
      <NumNewAddOns>0</NumNewAddOns>
      <NumRemovedAddOns>0</NumRemovedAddOns>
      <NumUpdatedAddOns>0</NumUpdatedAddOns>
      <NumInstalledAddOns>2</NumInstalledAddOns>
      <NumNewInstallations>0</NumNewInstallations>
    </SessionInfoEvent>
  </UserData>
  <RenderingInfo Culture="en-US">
    <Message>An instance of Program Data Updater (PDU) ran with the following information: StartTime: &#x200E;2016&#x200E;-&#x200E;03&#x200E;-&#x200E;14T12:52:04.591934900Z, StopTime: &#x200E;2016&#x200E;-&#x200E;03&#x200E;-&#x200E;14T12:52:07.138522100Z, ExitCode: 221, Number of new programs: 1, Number of removed programs: 1, Number of updated programs: 0, Number of installed programs: 17, Number of new orphan files: 0, Number of new add-ons: 0, Number of removed add-ons: 0, Number of updated add-ons: 0, Number of installed add-ons: 2, Number of new installations: 0</Message>
    <Level>Information</Level>
    <Task/>
    <Opcode>Info</Opcode>
    <Channel>Microsoft-Windows-Application-Experience/Program-Inventory</Channel>
    <Provider>Microsoft-Windows-Application-Experience</Provider>
    <Keywords/>
  </RenderingInfo>
</Event>
{
  "@timestamp": "2016-03-14T12:52:07.138Z",
  "beat": {
    "hostname": "vagrant-2012-r2",
    "name": "vagrant-2012-r2"
  },
  "computer_name": "vagrant-2012-r2",
  "count": 1,
  "event_id": 800,
  "level": "Information",
  "log_name": "Microsoft-Windows-Application-Experience/Program-Inventory",
  "message": "An instance of Program Data Updater (PDU) ran with the following information: StartTime: ‎2016‎-‎03‎-‎14T12:52:04.591934900Z, StopTime: ‎2016‎-‎03‎-‎14T12:52:07.138522100Z, ExitCode: 221, Number of new programs: 1, Number of removed programs: 1, Number of updated programs: 0, Number of installed programs: 17, Number of new orphan files: 0, Number of new add-ons: 0, Number of removed add-ons: 0, Number of updated add-ons: 0, Number of installed add-ons: 2, Number of new installations: 0",
  "opcode": "Info",
  "process_id": 2724,
  "provider_guid": "{EEF54E71-0661-422D-9A98-82FD4940B820}",
  "record_number": "3",
  "source_name": "Microsoft-Windows-Application-Experience",
  "thread_id": 1448,
  "type": "wineventlog",
  "user": {
    "domain": "NT AUTHORITY",
    "identifier": "S-1-5-18",
    "name": "SYSTEM",
    "type": "Well Known Group"
  },
  "user_data": {
    "ExitCode": "221",
    "NumInstalledAddOns": "2",
    "NumInstalledPrograms": "17",
    "NumNewAddOns": "0",
    "NumNewInstallations": "0",
    "NumNewOrphans": "0",
    "NumNewPrograms": "1",
    "NumRemovedAddOns": "0",
    "NumRemovedPrograms": "1",
    "NumUpdatedAddOns": "0",
    "NumUpdatedPrograms": "0",
    "StartTime": "2016-03-14T12:52:04.591934900Z",
    "StopTime": "2016-03-14T12:52:07.138522100Z",
    "xml_name": "SessionInfoEvent"
  }
}
Classic Event

With some classic event providers the parameters are unnamed so you will see
that they are labeled generically as paramN.
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager"/>
    <EventID Qualifiers="16384">7036</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8080000000000000</Keywords>
    <TimeCreated SystemTime="2016-03-12T00:12:24.119097300Z"/>
    <EventRecordID>783</EventRecordID>
    <Correlation/>
    <Execution ProcessID="500" ThreadID="1848"/>
    <Channel>System</Channel>
    <Computer>vagrant-2012-r2</Computer>
    <Security/>
  </System>
  <EventData>
    <Data Name="param1">WMI Performance Adapter</Data>
    <Data Name="param2">running</Data>
    <Binary>77006D006900410070005300720076002F0034000000</Binary>
  </EventData>
  <RenderingInfo Culture="en-US">
    <Message>The WMI Performance Adapter service entered the running state.</Message>
    <Level>Information</Level>
    <Task/>
    <Opcode/>
    <Channel/>
    <Provider>Microsoft-Windows-Service Control Manager</Provider>
    <Keywords>
      <Keyword>Classic</Keyword>
    </Keywords>
  </RenderingInfo>
</Event>
{
  "hostname": "vagrant-2012-r2",
  "name": "vagrant-2012-r2"
}
{
  "@timestamp": "2016-03-14T21:23:38.717Z",
  "beat": {
    "hostname": "vagrant-2012-r2",
    "name": "vagrant-2012-r2"
  },
  "computer_name": "vagrant-2012-r2",
  "count": 1,
  "event_data": {
    "Binary": "44006E007300630061006300680065002F0031000000",
    "param1": "DNS Client",
    "param2": "stopped"
  },
  "event_id": 7036,
  "keywords": [
    "Classic"
  ],
  "level": "Information",
  "log_name": "System",
  "message": "The DNS Client service entered the stopped state.",
  "process_id": 500,
  "provider_guid": "{555908d1-a6d7-4695-8e1e-26931d2012f4}",
  "record_number": "1190",
  "source_name": "Service Control Manager",
  "thread_id": 1848,
  "type": "wineventlog"
}