/
winlog.yml
319 lines (293 loc) · 10.3 KB
/
winlog.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
- name: winlog
type: group
description: >
All fields specific to the Windows Event Log are defined here.
fields:
- name: api
type: keyword
description: >
The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API.
The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs.
- name: activity_id
type: keyword
description: >
A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity.
- name: channel
type: keyword
description: >
The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration.
- name: computer_name
type: keyword
description: >
The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`.
- name: computerObject
type: group
description: >
computer Object data
fields:
- name: domain
type: keyword
- name: id
type: keyword
- name: name
type: keyword
- name: event_data
type: object
object_type: keyword
description: >
The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows.
- name: event_data
type: group
description: >
This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs.
fields:
- name: Account
type: keyword
description: An object on a target system that establishes a user’s identity on that target system.
- name: Action
type: keyword
- name: ActionId
type: keyword
- name: Arguments
type: keyword
- name: AuthChain
type: keyword
description: Authentication chains offer a flexible authentication infrastructure, allowing you to customize the end-user authentication experience. An authentication chain contains authentication methods offered by available authentication modules.
- name: AuthUser
type: keyword
description: Authentication user.
- name: BatchSig
type: keyword
description: Request batch ID.
- name: Binding
type: keyword
- name: CanceledBy
type: keyword
description: The user who canceled the request.
- name: ChangedBy
type: keyword
description: The user who made the change.
- name: Checkout
type: keyword
- name: ClientIPs
type: ip
- name: DelayThreshold
type: long
- name: Description
type: keyword
- name: EffectiveUser
type: keyword
- name: ErrorCode
type: keyword
- name: Event
type: keyword
- name: EventID
type: keyword
- name: FailedTargets
type: keyword
- name: GroupSet
type: keyword
- name: Hostname
type: keyword
- name: Identity
type: keyword
description: Identify users.
- name: Initiator
type: keyword
- name: Instance
type: keyword
- name: Issuer
type: keyword
- name: Language
type: keyword
description: Language used.
- name: LoginURL
type: keyword
description: User login URL.
- name: LogonDomain
type: keyword
- name: LogonSystem
type: keyword
- name: LogonUser
type: keyword
- name: MAQ
type: keyword
description: Account set access.
- name: Message
type: keyword
- name: MessageType
type: keyword
- name: Method
type: keyword
- name: Module
type: keyword
- name: Node
type: keyword
- name: Operation
type: keyword
- name: Orchestration
type: keyword
description: Subscriber orchestration.
- name: OSLogin
type: keyword
- name: OTPLogin
type: keyword
description: API login.
- name: Owner
type: keyword
- name: Platform
type: keyword
- name: Policy
type: keyword
- name: Port
type: keyword
- name: Procedure
type: keyword
- name: Profile
type: keyword
- name: QSetID
type: keyword
description: Question set ID.
- name: QSetType
type: keyword
description: Question set type.
- name: QueueDelay
type: long
description: Database replication queue delay.
- name: QueueSize
type: long
description: Database replication queue size.
- name: QueueType
type: keyword
description: Database replication queue type.
- name: Reason
type: keyword
- name: Recipient
type: keyword
description: Recipient of the request.
- name: Replica
type: keyword
description: Replica database or server.
- name: Requester
type: keyword
- name: RequestID
type: keyword
- name: Result
type: keyword
- name: RevokedBy
type: keyword
description: Workflow request has been revoked by.
- name: Runtime
type: long
- name: SessionID
type: keyword
- name: Skin
type: keyword
description: Skin for Bravura Security Fabric instance.
- name: Source
type: keyword
- name: SPFolder
type: keyword
description: Service provider folder.
- name: StoredProc
type: keyword
description: Stored procedure.
- name: System
type: keyword
- name: Target
type: keyword
- name: TargetName
type: keyword
- name: TermintedBy
type: keyword
description: Request terminated by.
- name: Type
type: keyword
- name: URI
type: keyword
description: The HTTP(S) address of the SOAP API of the Bravura Security Fabric server.
- name: WaterMark
type: keyword
description: Database replication watermark.
- name: Workstation
type: keyword
- name: event_id
type: keyword
description: >
The event identifier. The value is specific to the source of the event.
- name: keywords
type: keyword
description: >
The keywords are used to classify an event.
- name: level
type: keyword
description: >
The event severity. Levels are Critical, Error, Warning and Information, Verbose
- name: outcome
type: keyword
description: >
Success or Failure of the event.
- name: record_id
type: keyword
description: >
The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0.
- name: related_activity_id
type: keyword
description: >
A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier.
- name: opcode
type: keyword
description: >
The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged.
- name: provider_guid
type: keyword
description: >
A globally unique identifier that identifies the provider that logged the event.
- name: process.pid
type: long
description: >
The process_id of the Client Server Runtime Process.
- name: provider_name
type: keyword
description: >
The source of the event log record (the application or service that logged the record).
- name: task
type: keyword
description: >
The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field.
- name: time_created
type: date
description: >
Time event was created
- name: trustAttribute
type: keyword
- name: trustDirection
type: keyword
- name: trustType
type: keyword
- name: process.thread.id
type: long
- name: user_data
type: object
object_type: keyword
description: >
The event specific data. This field is mutually exclusive with `event_data`.
- name: user.identifier
type: keyword
description: >
Identifier of the user associated with this event.
- name: user.name
type: keyword
description: >
Name of the user associated with this event.
- name: user.domain
type: keyword
description: >
The domain that the account associated with this event is a member of.
- name: user.type
type: keyword
description: >
The type of account associated with this event.
- name: version
type: long
description: The version number of the event's definition.