› ›

解码 XML Windows 事件日志

此功能为技术预览版，可能会在未来的版本中更改或删除。Elastic 将努力解决任何问题，但技术预览版的功能不受官方 GA 功能的支持 SLA 约束。

decode_xml_wineventlog 处理器解码存储在 field 键下的 XML 格式的 Windows 事件日志数据。它将结果输出到 target_field 中。

示例

  - decode_xml_wineventlog:
      field: event.original
      target_field: winlog

{
  "event": {
    "original": "<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4672</EventID><Version>0</Version><Level>0</Level><Task>12548</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2021-03-23T09:56:13.137310000Z'/><EventRecordID>11303</EventRecordID><Correlation ActivityID='{ffb23523-1f32-0000-c335-b2ff321fd701}'/><Execution ProcessID='652' ThreadID='4660'/><Channel>Security</Channel><Computer>vagrant</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>SYSTEM</Data><Data Name='SubjectDomainName'>NT AUTHORITY</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='PrivilegeList'>SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege</Data></EventData><RenderingInfo Culture='en-US'><Message>Special privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\nPrivileges:\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege</Message><Level>Information</Level><Task>Special Logon</Task><Opcode>Info</Opcode><Channel>Security</Channel><Provider>Microsoft Windows security auditing.</Provider><Keywords><Keyword>Audit Success</Keyword></Keywords></RenderingInfo></Event>"
  }
}

将产生以下输出

{
  "event": {
    "original": "<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4672</EventID><Version>0</Version><Level>0</Level><Task>12548</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2021-03-23T09:56:13.137310000Z'/><EventRecordID>11303</EventRecordID><Correlation ActivityID='{ffb23523-1f32-0000-c335-b2ff321fd701}'/><Execution ProcessID='652' ThreadID='4660'/><Channel>Security</Channel><Computer>vagrant</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>SYSTEM</Data><Data Name='SubjectDomainName'>NT AUTHORITY</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='PrivilegeList'>SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege</Data></EventData><RenderingInfo Culture='en-US'><Message>Special privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\nPrivileges:\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege</Message><Level>Information</Level><Task>Special Logon</Task><Opcode>Info</Opcode><Channel>Security</Channel><Provider>Microsoft Windows security auditing.</Provider><Keywords><Keyword>Audit Success</Keyword></Keywords></RenderingInfo></Event>",
    "action":   "Special Logon",
		"code":     "4672",
		"kind":     "event",
		"outcome":  "success",
		"provider": "Microsoft-Windows-Security-Auditing",
  },
	"host": {
    "name": "vagrant",
  },
  "log": {
    "level": "information",
  },
  "winlog": {
    "channel": "Security",
    "outcome": "success",
    "activity_id": "{ffb23523-1f32-0000-c335-b2ff321fd701}",
    "level": "information",
    "event_id": 4672,
    "provider_name": "Microsoft-Windows-Security-Auditing",
    "record_id": 11303,
    "computer_name": "vagrant",
    "keywords_raw": 9232379236109516800,
    "opcode": "Info",
    "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
    "event_data": {
      "SubjectUserSid": "S-1-5-18",
      "SubjectUserName": "SYSTEM",
      "SubjectDomainName": "NT AUTHORITY",
      "SubjectLogonId": "0x3e7",
      "PrivilegeList": "SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege"
    },
    "task": "Special Logon",
    "keywords": [
      "Audit Success"
    ],
    "message": "Special privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\nPrivileges:\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege",
    "process": {
      "pid": 652,
      "thread": {
        "id": 4660
      }
    }
  }
}

有关支持的条件列表，请参阅条件。

配置设置

编辑

Elastic Agent 处理器在摄取管道之前执行，这意味着您的处理器配置不能引用由摄取管道或 Logstash 创建的字段。有关更多限制，请参阅使用处理器有哪些限制？

名称	必需	默认值	描述
`field`	是	`message`	包含 XML 的源字段。
`target_field`	是	`winlog`	解码后的 XML 将写入的字段。要将解码后的 XML 字段合并到事件的根目录，请使用空字符串 (`target_field: ""`) 指定 `target_field`。
`overwrite_keys`	否	`true`	是否使用解码后的 XML 对象中的键覆盖事件中已存在的键。
`map_ecs_fields`	否	`true`	是否在可能的情况下映射额外的 ECS 字段。请注意，ECS 字段键放置在 `target_field` 之外。
`ignore_missing`	否	`false`	如果指定的字段不存在，是否返回错误。
`ignore_failure`	否	`false`	是否忽略处理器产生的所有错误。

字段映射

编辑

字段映射如下

事件字段	源 XML 元素	备注
`winlog.channel`	`<Event><System><Channel>`
`winlog.event_id`	`<Event><System><EventID>`
`winlog.provider_name`	`<Event><System><Provider>`	`Name` 属性
`winlog.record_id`	`<Event><System><EventRecordID>`
`winlog.task`	`<Event><System><Task>`
`winlog.computer_name`	`<Event><System><Computer>`
`winlog.keywords`	`<Event><RenderingInfo><Keywords>`	每个 `Keyword` 的列表
`winlog.opcodes`	`<Event><RenderingInfo><Opcode>`
`winlog.provider_guid`	`<Event><System><Provider>`	`Guid` 属性
`winlog.version`	`<Event><System><Version>`
`winlog.time_created`	`<Event><System><TimeCreated>`	`SystemTime` 属性
`winlog.outcome`	`<Event><System><Keywords>`	如果设置了位 0x20000000000000，则为“成功”；如果设置了 0x10000000000000，则为“失败”
`winlog.level`	`<Event><System><Level>`	转换为小写
`winlog.message`	`<Event><RenderingInfo><Message>`	删除换行符
`winlog.user.identifier`	`<Event><System><Security><UserID>`
`winlog.user.domain`	`<Event><System><Security><Domain>`
`winlog.user.name`	`<Event><System><Security><Name>`
`winlog.user.type`	`<Event><System><Security><Type>`	从整数转换为字符串
`winlog.event_data`	`<Event><EventData>`	映射，其中 Data 元素中的 `Name` 属性为键，值是 Data 元素的值
`winlog.user_data`	`<Event><UserData>`	映射，其中 Data 元素中的 `Name` 属性为键，值是 Data 元素的值
`winlog.activity_id`	`<Event><System><Correlation><ActivityID>`
`winlog.related_activity_id`	`<Event><System><Correlation><RelatedActivityID>`
`winlog.kernel_time`	`<Event><System><Execution><KernelTime>`
`winlog.process.pid`	`<Event><System><Execution><ProcessID>`
`winlog.process.thread.id`	`<Event><System><Execution><ThreadID>`
`winlog.processor_id`	`<Event><System><Execution><ProcessorID>`
`winlog.processor_time`	`<Event><System><Execution><ProcessorTime>`
`winlog.session_id`	`<Event><System><Execution><SessionID>`
`winlog.user_time`	`<Event><System><Execution><UserTime>`
`winlog.error.code`	`<Event><ProcessingErrorData><ErrorCode>`

如果启用 map_ecs_fields，则还会执行以下字段映射

事件字段	源 XML 或其他字段	备注
`event.code`	`winlog.event_id`
`event.kind`	`“event”`
`event.provider`	`<Event><System><Provider>`	`Name` 属性
`event.action`	`<Event><RenderingInfo><Task>`
`event.host.name`	`<Event><System><Computer>`
`event.outcome`	`winlog.outcome`
`log.level`	`winlog.level`
`message`	`winlog.message`
`error.code`	`winlog.error.code`
`error.message`	`winlog.error.message`

« 解码 XML 解压 gzip 字段 »

On this page

示例
配置设置
字段映射

Was this helpful?

Feedback

The Search AI Company

ELK Stack

Elastic Cloud

Generative AI

Search

Security

Observability

By solution

Industries

Customer spotlight

Research

Build

Learn

Connect

解码 XML Windows 事件日志

解码 XML Windows 事件日志

示例

配置设置

字段映射

Follow us

About us

Join us

Partners

Trust & Security

Investor relations

Excellence Awards

About us

Join us

Partners

Trust & Security

Investor relations

Excellence Awards