来自 Windows 事件日志的字段。
-
event.original -
从 Windows 获取的事件的原始 XML 表示形式。此字段仅在支持 Windows 事件日志 API 的操作系统(Microsoft Windows Vista 及更高版本)上可用。默认情况下不包含此字段,必须通过为单个事件日志设置
include_xml: true作为配置选项来启用。事件的 XML 表示形式对于故障排除非常有用。可以将 Winlogbeat 报告的字段中的数据与 XML 中的数据进行比较,以诊断问题。
此处定义了所有特定于 Windows 事件日志的字段。
-
winlog.api -
用于读取记录的事件日志 API 类型。可能的值为 “wineventlog”(适用于 Windows 事件日志 API)或 “wineventlog-experimental”(适用于其实验性实现)。
required: True
-
winlog.activity_id -
一个全局唯一标识符,用于标识当前活动。使用此标识符发布的事件是同一活动的一部分。
type: keyword
required: False
-
winlog.computer_name -
生成记录的计算机的名称。使用 Windows 事件转发时,此名称可能与
agent.hostname不同。type: keyword
required: True
-
winlog.computerObject.domain -
事件中添加、修改或删除的帐户的域。
type: keyword
required: False
-
winlog.computerObject.id -
一个全局唯一标识符,用于标识目标设备。
type: keyword
required: False
-
winlog.computerObject.name -
事件中添加、修改或删除的帐户名称。
type: keyword
required: False
-
winlog.event_data -
特定于事件的数据。此字段与
user_data互斥。如果您在 Windows Vista 之前的版本上捕获事件数据,则event_data中的参数将被命名为param1、param2等,因为事件日志参数在早期版本的 Windows 中是未命名的。type: object
required: False
这是 Windows 事件中使用的参数的非详尽列表。通过在模板中定义这些字段,它们可以在仪表板和机器学习作业中使用。
-
winlog.event_data.AuthenticationPackageName -
type: keyword
-
winlog.event_data.Binary -
type: keyword
-
winlog.event_data.BitlockerUserInputTime -
type: keyword
-
winlog.event_data.BootMode -
type: keyword
-
winlog.event_data.BootType -
type: keyword
-
winlog.event_data.BuildVersion -
type: keyword
-
winlog.event_data.CallTrace -
type: keyword
-
winlog.event_data.ClientInfo -
type: keyword
-
winlog.event_data.Company -
type: keyword
-
winlog.event_data.Configuration -
type: keyword
-
winlog.event_data.CorruptionActionState -
type: keyword
-
winlog.event_data.CreationUtcTime -
type: keyword
-
winlog.event_data.Description -
type: keyword
-
winlog.event_data.Detail -
type: keyword
-
winlog.event_data.DeviceName -
type: keyword
-
winlog.event_data.DeviceNameLength -
type: keyword
-
winlog.event_data.DeviceTime -
type: keyword
-
winlog.event_data.DeviceVersionMajor -
type: keyword
-
winlog.event_data.DeviceVersionMinor -
type: keyword
-
winlog.event_data.DriveName -
type: keyword
-
winlog.event_data.DriverName -
type: keyword
-
winlog.event_data.DriverNameLength -
type: keyword
-
winlog.event_data.DwordVal -
type: keyword
-
winlog.event_data.EntryCount -
type: keyword
-
winlog.event_data.EventType -
type: keyword
-
winlog.event_data.EventNamespace -
type: keyword
-
winlog.event_data.ExtraInfo -
type: keyword
-
winlog.event_data.FailureName -
type: keyword
-
winlog.event_data.FailureNameLength -
type: keyword
-
winlog.event_data.FileVersion -
type: keyword
-
winlog.event_data.FinalStatus -
type: keyword
-
winlog.event_data.GrantedAccess -
type: keyword
-
winlog.event_data.Group -
type: keyword
-
winlog.event_data.IdleImplementation -
type: keyword
-
winlog.event_data.IdleStateCount -
type: keyword
-
winlog.event_data.ImpersonationLevel -
type: keyword
-
winlog.event_data.IntegrityLevel -
type: keyword
-
winlog.event_data.IpAddress -
type: keyword
-
winlog.event_data.IpPort -
type: keyword
-
winlog.event_data.KeyLength -
type: keyword
-
winlog.event_data.LastBootGood -
type: keyword
-
winlog.event_data.LastShutdownGood -
type: keyword
-
winlog.event_data.LmPackageName -
type: keyword
-
winlog.event_data.LogonGuid -
type: keyword
-
winlog.event_data.LogonId -
type: keyword
-
winlog.event_data.LogonProcessName -
type: keyword
-
winlog.event_data.LogonType -
type: keyword
-
winlog.event_data.MajorVersion -
type: keyword
-
winlog.event_data.MaximumPerformancePercent -
type: keyword
-
winlog.event_data.MemberName -
type: keyword
-
winlog.event_data.MemberSid -
type: keyword
-
winlog.event_data.MinimumPerformancePercent -
type: keyword
-
winlog.event_data.MinimumThrottlePercent -
type: keyword
-
winlog.event_data.MinorVersion -
type: keyword
-
winlog.event_data.Name -
type: keyword
-
winlog.event_data.NewProcessId -
type: keyword
-
winlog.event_data.NewProcessName -
type: keyword
-
winlog.event_data.NewSchemeGuid -
type: keyword
-
winlog.event_data.NewThreadId -
type: keyword
-
winlog.event_data.NewTime -
type: keyword
-
winlog.event_data.NominalFrequency -
type: keyword
-
winlog.event_data.Number -
type: keyword
-
winlog.event_data.OldSchemeGuid -
type: keyword
-
winlog.event_data.OldTime -
type: keyword
-
winlog.event_data.Operation -
type: keyword
-
winlog.event_data.OriginalFileName -
type: keyword
-
winlog.event_data.Path -
type: keyword
-
winlog.event_data.PerformanceImplementation -
type: keyword
-
winlog.event_data.PreviousCreationUtcTime -
type: keyword
-
winlog.event_data.PreviousTime -
type: keyword
-
winlog.event_data.PrivilegeList -
type: keyword
-
winlog.event_data.ProcessId -
type: keyword
-
winlog.event_data.ProcessName -
type: keyword
-
winlog.event_data.ProcessPath -
type: keyword
-
winlog.event_data.ProcessPid -
type: keyword
-
winlog.event_data.Product -
type: keyword
-
winlog.event_data.PuaCount -
type: keyword
-
winlog.event_data.PuaPolicyId -
type: keyword
-
winlog.event_data.QfeVersion -
type: keyword
-
winlog.event_data.Query -
type: keyword
-
winlog.event_data.Reason -
type: keyword
-
winlog.event_data.SchemaVersion -
type: keyword
-
winlog.event_data.ScriptBlockText -
type: keyword
-
winlog.event_data.ServiceName -
type: keyword
-
winlog.event_data.ServiceVersion -
type: keyword
-
winlog.event_data.Session -
type: keyword
-
winlog.event_data.ShutdownActionType -
type: keyword
-
winlog.event_data.ShutdownEventCode -
type: keyword
-
winlog.event_data.ShutdownReason -
type: keyword
-
winlog.event_data.Signature -
type: keyword
-
winlog.event_data.SignatureStatus -
type: keyword
-
winlog.event_data.Signed -
type: keyword
-
winlog.event_data.StartAddress -
type: keyword
-
winlog.event_data.StartFunction -
type: keyword
-
winlog.event_data.StartModule -
type: keyword
-
winlog.event_data.StartTime -
type: keyword
-
winlog.event_data.State -
type: keyword
-
winlog.event_data.Status -
type: keyword
-
winlog.event_data.StopTime -
type: keyword
-
winlog.event_data.SubjectDomainName -
type: keyword
-
winlog.event_data.SubjectLogonId -
type: keyword
-
winlog.event_data.SubjectUserName -
type: keyword
-
winlog.event_data.SubjectUserSid -
type: keyword
-
winlog.event_data.TSId -
type: keyword
-
winlog.event_data.TargetDomainName -
type: keyword
-
winlog.event_data.TargetImage -
type: keyword
-
winlog.event_data.TargetInfo -
type: keyword
-
winlog.event_data.TargetLogonGuid -
type: keyword
-
winlog.event_data.TargetLogonId -
type: keyword
-
winlog.event_data.TargetProcessGUID -
type: keyword
-
winlog.event_data.TargetProcessId -
type: keyword
-
winlog.event_data.TargetServerName -
type: keyword
-
winlog.event_data.TargetUserName -
type: keyword
-
winlog.event_data.TargetUserSid -
type: keyword
-
winlog.event_data.TerminalSessionId -
type: keyword
-
winlog.event_data.TokenElevationType -
type: keyword
-
winlog.event_data.TransmittedServices -
type: keyword
-
winlog.event_data.Type -
type: keyword
-
winlog.event_data.UserSid -
type: keyword
-
winlog.event_data.Version -
type: keyword
-
winlog.event_data.Workstation -
type: keyword
-
winlog.event_data.param1 -
type: keyword
-
winlog.event_data.param2 -
type: keyword
-
winlog.event_data.param3 -
type: keyword
-
winlog.event_data.param4 -
type: keyword
-
winlog.event_data.param5 -
type: keyword
-
winlog.event_data.param6 -
type: keyword
-
winlog.event_data.param7 -
type: keyword
-
winlog.event_data.param8 -
type: keyword
-
winlog.event_id -
事件标识符。该值特定于事件的来源。
type: keyword
required: True
-
winlog.keywords -
关键字用于对事件进行分类。
type: keyword
required: False
-
winlog.channel -
从中读取此记录的通道的名称。此值是配置中
event_logs集合中的名称之一。type: keyword
required: True
-
winlog.record_id -
事件日志记录的记录 ID。写入事件日志的第一个记录的编号为 1,其他记录按顺序编号。如果记录编号达到最大值(对于事件日志记录 API 为 232,对于 Windows 事件日志 API 为 264),则下一个记录编号将为 0。
type: keyword
required: True
-
winlog.related_activity_id -
一个全局唯一标识符,用于标识控制权转移到的活动。相关事件将具有此标识符作为其
activity_id标识符。type: keyword
required: False
-
winlog.opcode -
事件中定义的操作码。任务和操作码通常用于标识应用程序中记录事件的位置。
type: keyword
required: False
-
winlog.provider_guid -
一个全局唯一标识符,用于标识记录事件的提供程序。
type: keyword
required: False
-
winlog.process.pid -
客户端服务器运行时进程的 process_id。
type: long
required: False
-
winlog.provider_name -
事件日志记录的来源(记录该记录的应用程序或服务)。
type: keyword
required: True
-
winlog.task -
事件中定义的任务。任务和操作码通常用于标识应用程序中记录事件的位置。事件日志记录 API(在 Windows Vista 之前的操作系统上)使用的类别将写入此字段。
type: keyword
required: False
-
winlog.time_created -
事件创建时间。
type: date
required: False
-
winlog.trustAttribute -
为新创建的域信任的属性的十进制值。
type: keyword
required: False
-
winlog.trustDirection -
为域创建的新信任的方向。可能的值为
TRUST_DIRECTION_DISABLED、TRUST_DIRECTION_INBOUND、TRUST_DIRECTION_OUTBOUND和TRUST_DIRECTION_BIDIRECTIONALtype: keyword
required: False
-
winlog.trustType -
事件中添加、修改或删除的帐户名称。可能的值为
TRUST_TYPE_DOWNLEVEL、TRUST_TYPE_UPLEVEL、TRUST_TYPE_MIT和TRUST_TYPE_DCEtype: keyword
required: False
-
winlog.process.thread.id -
type: long
required: False
-
winlog.user_data -
特定于事件的数据。此字段与
event_data互斥。type: object
required: False
-
winlog.user.identifier -
与此事件关联的帐户的 Windows 安全标识符 (SID)。如果 Winlogbeat 无法将 SID 解析为名称,则将从事件中省略
user.name、user.domain和user.type字段。如果您发现 Winlogbeat 未解析 SID,请查看日志以获取问题线索。type: keyword
example: S-1-5-21-3541430928-2051711210-1391384369-1001
required: False
-
winlog.user.name -
与此事件关联的用户的名称。
type: keyword
-
winlog.user.domain -
与此事件关联的帐户所属的域。
type: keyword
required: False
-
winlog.user.type -
与此事件关联的帐户的类型。
type: keyword
required: False
-
winlog.version -
事件定义的版本号。
type: long
required: False