Skip to content

Instantly share code, notes, and snippets.

@andrewkroh
Last active April 1, 2016 10:33
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save andrewkroh/c88950a56e0d0b4dcee1 to your computer and use it in GitHub Desktop.
Save andrewkroh/c88950a56e0d0b4dcee1 to your computer and use it in GitHub Desktop.

This document shows some example Winlogbeat events generated from v5. The XML representation of the event as provided by Windows is shown as well as the JSON representation generated by Winlogbeat.

Pull Request

Event with Named EventData

The "EventData" is added to the Winlogbeat JSON as a dictionary named event_data. Each element under EventData becomes a key-value member of the event_data dictionary.

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}"/>
    <EventID>4634</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12545</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2015-01-13T09:33:15.812714500Z"/>
    <EventRecordID>193</EventRecordID>
    <Correlation/>
    <Execution ProcessID="452" ThreadID="484"/>
    <Channel>Security</Channel>
    <Computer>vagrant-2012-r2</Computer>
    <Security/>
  </System>
  <EventData>
    <Data Name="TargetUserSid">S-1-5-21-3541430928-2051711210-1391384369-1001</Data>
    <Data Name="TargetUserName">vagrant</Data>
    <Data Name="TargetDomainName">VAGRANT-2012-R2</Data>
    <Data Name="TargetLogonId">0x837f2</Data>
    <Data Name="LogonType">8</Data>
  </EventData>
  <RenderingInfo Culture="en-US">
    <Message>An account 
was logged off.

Subject:
    Security ID:        S-1-5-21-3541430928-2051711210-1391384369-1001
    Account Name:        vagrant
    Account Domain:        VAGRANT-2012-R2
    Logon ID:        0x837F2      

Logon Type:            8

This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same
computer.</Message>
    <Level>Information</Level>
    <Task>Logoff</Task>
    <Opcode>Info</Opcode>
    <Channel>Security</Channel>
    <Provider>Microsoft Windows security auditing.</Provider>
    <Keywords>
      <Keyword>Audit 
Success</Keyword>
    </Keywords>
  </RenderingInfo>
</Event>
{
  "@timestamp": "2015-01-13T09:33:15.812Z",
  "beat": {
    "hostname": "vagrant-2012-r2",
    "name": "vagrant-2012-r2"
  },
  "computer_name": "vagrant-2012-r2",
  "count": 1,
  "event_data": {
    "LogonType": "8",
    "TargetDomainName": "VAGRANT-2012-R2",
    "TargetLogonId": "0x837f2",
    "TargetUserName": "vagrant",
    "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001"
  },
  "event_id": 4634,
  "keywords": [
    "Audit Success"
  ],
  "level": "Information",
  "log_name": "Security",
  "message": "An account was logged off.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-3541430928-2051711210-1391384369-1001\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT-2012-R2\n\tLogon ID:\t\t0x837F2\n\nLogon Type:\t\t\t8\n\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.",
  "opcode": "Info",
  "process_id": 452,
  "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
  "record_number": "193",
  "source_name": "Microsoft-Windows-Security-Auditing",
  "task": "Logoff",
  "thread_id": 484,
  "type": "wineventlog"
}

Event with UserData

The "UserData" is added to the Winlogbeat JSON as a dictionary named user_data. Winlogbeat makes an assumption about the structure of the UserData XML schema in order to map the data into a dictionary. It assumes that UserData will contain one inner element, and that inner element with contain 0 or more elements that can be mapped into key-value pairs. Each of the key-value pairs becomes a member of the user_data dictionary.

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Application-Experience" Guid="{EEF54E71-0661-422D-9A98-82FD4940B820}"/>
    <EventID>800</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x400000000000000</Keywords>
    <TimeCreated SystemTime="2016-03-14T12:52:07.138522100Z"/>
    <EventRecordID>3</EventRecordID>
    <Correlation/>
    <Execution ProcessID="2724" ThreadID="1448"/>
    <Channel>Microsoft-Windows-Application-Experience/Program-Inventory</Channel>
    <Computer>vagrant-2012-r2</Computer>
    <Security UserID="S-1-5-18"/>
  </System>
  <UserData>
    <SessionInfoEvent xmlns="http://www.microsoft.com/Windows/Diagnosis/PDU/events">
      <StartTime>2016-03-14T12:52:04.591934900Z</StartTime>
      <StopTime>2016-03-14T12:52:07.138522100Z</StopTime>
      <ExitCode>221</ExitCode>
      <NumNewPrograms>1</NumNewPrograms>
      <NumRemovedPrograms>1</NumRemovedPrograms>
      <NumUpdatedPrograms>0</NumUpdatedPrograms>
      <NumInstalledPrograms>17</NumInstalledPrograms>
      <NumNewOrphans>0</NumNewOrphans>
      <NumNewAddOns>0</NumNewAddOns>
      <NumRemovedAddOns>0</NumRemovedAddOns>
      <NumUpdatedAddOns>0</NumUpdatedAddOns>
      <NumInstalledAddOns>2</NumInstalledAddOns>
      <NumNewInstallations>0</NumNewInstallations>
    </SessionInfoEvent>
  </UserData>
  <RenderingInfo Culture="en-US">
    <Message>An instance of Program Data Updater (PDU) ran with the following information: StartTime: &#x200E;2016&#x200E;-&#x200E;03&#x200E;-&#x200E;14T12:52:04.591934900Z, StopTime: &#x200E;2016&#x200E;-&#x200E;03&#x200E;-&#x200E;14T12:52:07.138522100Z, ExitCode: 221, Number of new programs: 1, Number of removed programs: 1, Number of updated programs: 0, Number of installed programs: 17, Number of new orphan files: 0, Number of new add-ons: 0, Number of removed add-ons: 0, Number of updated add-ons: 0, Number of installed add-ons: 2, Number of new installations: 0</Message>
    <Level>Information</Level>
    <Task/>
    <Opcode>Info</Opcode>
    <Channel>Microsoft-Windows-Application-Experience/Program-Inventory</Channel>
    <Provider>Microsoft-Windows-Application-Experience</Provider>
    <Keywords/>
  </RenderingInfo>
</Event>
{
  "@timestamp": "2016-03-14T12:52:07.138Z",
  "beat": {
    "hostname": "vagrant-2012-r2",
    "name": "vagrant-2012-r2"
  },
  "computer_name": "vagrant-2012-r2",
  "count": 1,
  "event_id": 800,
  "level": "Information",
  "log_name": "Microsoft-Windows-Application-Experience/Program-Inventory",
  "message": "An instance of Program Data Updater (PDU) ran with the following information: StartTime: ‎2016‎-‎03‎-‎14T12:52:04.591934900Z, StopTime: ‎2016‎-‎03‎-‎14T12:52:07.138522100Z, ExitCode: 221, Number of new programs: 1, Number of removed programs: 1, Number of updated programs: 0, Number of installed programs: 17, Number of new orphan files: 0, Number of new add-ons: 0, Number of removed add-ons: 0, Number of updated add-ons: 0, Number of installed add-ons: 2, Number of new installations: 0",
  "opcode": "Info",
  "process_id": 2724,
  "provider_guid": "{EEF54E71-0661-422D-9A98-82FD4940B820}",
  "record_number": "3",
  "source_name": "Microsoft-Windows-Application-Experience",
  "thread_id": 1448,
  "type": "wineventlog",
  "user": {
    "domain": "NT AUTHORITY",
    "identifier": "S-1-5-18",
    "name": "SYSTEM",
    "type": "Well Known Group"
  },
  "user_data": {
    "ExitCode": "221",
    "NumInstalledAddOns": "2",
    "NumInstalledPrograms": "17",
    "NumNewAddOns": "0",
    "NumNewInstallations": "0",
    "NumNewOrphans": "0",
    "NumNewPrograms": "1",
    "NumRemovedAddOns": "0",
    "NumRemovedPrograms": "1",
    "NumUpdatedAddOns": "0",
    "NumUpdatedPrograms": "0",
    "StartTime": "2016-03-14T12:52:04.591934900Z",
    "StopTime": "2016-03-14T12:52:07.138522100Z",
    "xml_name": "SessionInfoEvent"
  }
}

Classic Event

With some classic event providers the parameters are unnamed so you will see that they are labeled generically as paramN.

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager"/>
    <EventID Qualifiers="16384">7036</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8080000000000000</Keywords>
    <TimeCreated SystemTime="2016-03-12T00:12:24.119097300Z"/>
    <EventRecordID>783</EventRecordID>
    <Correlation/>
    <Execution ProcessID="500" ThreadID="1848"/>
    <Channel>System</Channel>
    <Computer>vagrant-2012-r2</Computer>
    <Security/>
  </System>
  <EventData>
    <Data Name="param1">WMI Performance Adapter</Data>
    <Data Name="param2">running</Data>
    <Binary>77006D006900410070005300720076002F0034000000</Binary>
  </EventData>
  <RenderingInfo Culture="en-US">
    <Message>The WMI Performance Adapter service entered the running state.</Message>
    <Level>Information</Level>
    <Task/>
    <Opcode/>
    <Channel/>
    <Provider>Microsoft-Windows-Service Control Manager</Provider>
    <Keywords>
      <Keyword>Classic</Keyword>
    </Keywords>
  </RenderingInfo>
</Event>
{
  "hostname": "vagrant-2012-r2",
  "name": "vagrant-2012-r2"
}
{
  "@timestamp": "2016-03-14T21:23:38.717Z",
  "beat": {
    "hostname": "vagrant-2012-r2",
    "name": "vagrant-2012-r2"
  },
  "computer_name": "vagrant-2012-r2",
  "count": 1,
  "event_data": {
    "Binary": "44006E007300630061006300680065002F0031000000",
    "param1": "DNS Client",
    "param2": "stopped"
  },
  "event_id": 7036,
  "keywords": [
    "Classic"
  ],
  "level": "Information",
  "log_name": "System",
  "message": "The DNS Client service entered the stopped state.",
  "process_id": 500,
  "provider_guid": "{555908d1-a6d7-4695-8e1e-26931d2012f4}",
  "record_number": "1190",
  "source_name": "Service Control Manager",
  "thread_id": 1848,
  "type": "wineventlog"
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment