Winlogbeat Status Tracking

_Updated: 2019-12-20_

This issue tracks the overall status of the effort. We can open separate issues to discuss individual features in depth.

Features

• [x] Add ability to read from Windows Event Log API (preferred API to get event log
  data in Windows Vista, Windows Server 2008, and newer). PR: #576
• [x] Read from Event Logging API (provides Windows XP and Windows 2003 compatibility and
  works on all newer versions, but some events cannot be read through this API).
• [x] Event timestamp filtering (ignore_older)
• [x] Event ID filtering #1054 (implemented in #1218)
• [x] Level (severity) filtering #1054 (implemented in #1218)
• [x] Provider (source) filtering (implemented in #1218)
• [x] Add EventData and UserData from the Windows event log records to the data published by Winlogbeat. #1053
• [ ] Add ability to do more advanced queries including using raw XML. #1054
• [ ] Read registry to automatically detect all event logs. The user would not
  need to configure which event logs to read.
• [ ] Wildcard channel names. #1193
• [ ] Add ability to configure UNC path for reading from remote event logs. (we prefer Windows Event Collector/Event Subscriptions but if those cannot be applied then this can be the fall-back.) #1031
• [ ] Reading .evt and .evtx files. Useful for ingesting archived event logs or for forensic purposes. References - .evt format: [1] (https://github.com/libyal/libevt/blob/master/documentation/Windows%20Event%20Log%20%28EVT%29%20format.asciidoc), .evtx format: 1, 2 https://github.com/elastic/beats/issues/4450
• [ ] Message regex filtering (likely unnecessary after adding other filters)
• [ ] Add additional read modes.
  
  
  
  • persistent - the default mode that read events and persist state (the current behavior)
  
  
  • new_only - read all events generated since the beat was started. No state
    
    is persisted. This is like tail -f.
  
  
  • read_then_exit - read all events that exist at startup, then exit.
    
    It ignores new events that are generated after the beat was started.
    
    No state is persisted.
  
  

Performance

• [ ] Share a single cache for message file handles.
• [ ] Add SID to name/domain/type caching.
• [x] Asynchronous event publishing like Filebeat.
• [ ] Share a set of buffers between all event logs so that memory usage does not
  grow linearly with the number of logs being monitored.
• [x] Optimize the slow methods (I suspect they are getStrings and
  utf16ToString).

Type Safety

• [x] Investigate removing unsafe from eventlog_windows.go by parsing the buffer.

Test cases

• [x] Add test case for messages with UTF-16 characters (i.e. Chinese characters). (update: seems like this is working, see http://dev.classmethod.jp/server-side/elasticsearch/winlogbeat-release/)

Is it necessary to do regex filtering on the event? I'm pretty sure you can get all event field values as objects, fields you don't see in the event viewer but are special objects still.

@elvarb I am not proposing regex filtering the event as a whole. I am proposing regex filtering based on the text of the event's message field.

That's what I'm pointing out, you don't have to. For example if a user1 adds user2 to group1 the message field will say that. But also in the event are special fields like the eventid that are called something along the lines of param1, param2 and so on. The message field is an attempt to make the event human readable, and I truly mean an attempt.

https://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+Operating+System&ProdVer=5.2&EvtID=1074&EvtSrc=User32&LCID=1033

Here is an example that is showing what I mean, see the variables named %1,%2 and so on.

That url is a great resource, change the url parameters to get different events

@elvarb Are you saying that regex based filtering is not required if Winlogbeat supports Event ID based filtering since each message is really just derived from a parameterized message template that is given by Event ID + Event Source?

@andrewkroh Exactly, or I at least hope so. The reference to those fields are all over in the Windows documentation and I know that nxlog can read those fields.

Here is another example https://msdn.microsoft.com/en-us/library/aa368560(v=vs.85).aspx

And how to write event logs using parameters https://msdn.microsoft.com/en-us/library/windows/hardware/ff566411(v=vs.85).aspx

And code examples how to get those insertation strings
https://msdn.microsoft.com/en-us/library/windows/desktop/bb427356(v=vs.85).aspx

I have created regex for various windows event logs coming through OSSEC, which is always full text, not fun and prone to regex errors because of unexpected reasons. Try to avoid regex as much as you can.

In my logstash config I am also using the translate filter for various Windows events to translate from specific codes to human readable text. For example logon type:

"2": Interactive
"3": Network
"4": Batch
"5": Service
"7": Unlock
"8": NetworkClearText
"9": NewCredentials
"10": RemoteInteractive
"11": CachedInteractive

Would be fantastic if beats could do this to on the host level instead of having Logstash do this for well known native codes. (for some cases it is still better to do it in Logstash, custom filters and so on)

You've probably already figured this out, but thought I would add some additional context to elvarb's comments from my non-programmer point of view. You can see the individual fields and values within the event log object in a few methods:

In Event Viewer, the XML View has an EventData node with the individual keys and values, and the message is just a more descriptive representation of the EventData values.

In PowerShell the individual values are accessible in the "Properties" Property. You can see this when you run the following:
$Z = Get-WinEvent -LogName Security -MaxEvents 1
$Z.Message
$Z.Properties

or with:
$Z = Get-EventLog -LogName Security -Newest 1
$Z.Message
$Z.ReplacementStrings

I hope that is helpful, I would really love to see this improvement so I can reduce my logstash parsing a bit.

The above comment is related to the feature requested in #1053.

Reading in .evtx sounds amazing. I'm sure lots of people in the security community would love that!

Currently we have an internal python based solution for offline files using python-evtx , which uses an Event ID yaml library but for beats these may be useful. Its worth nothing that your YAML might need to nested as different event channels will reuse eventids eg security , system etc

evtx go library
https://github.com/0xrawsec/golang-evtx

evtx event id database tool with example output
https://github.com/iadgov/Windows-Event-Log-Messages

Here's and MIT licensed evtx parser I found that we could try: https://github.com/dutchcoders/evtxparser

The https://github.com/0xrawsec/golang-evtx project is GPL so it's incompatible with Apache 2.0.

I think reading .evt and .evtx files can be done with Microsoft native api(EvtQuery, EvtSeek,EvtNext ,EvtClose),
I am working on it, but since we need support glob path(like C:\Windows\System32\winevt\Logs*) and other features, it seems to be a filebeat type instead of winlogbeat module.
checkout:
https://github.com/PChou/beats/commit/d9e95234e981bba7560fac88b4fec148e3480b39

@PChou I've compiled your branch and just imported 47 archived evtx files (45GB on disk). It worked like a charm. I did notice when extending the glob to all 5 thousand files in the folder, that winlogbeat did choke, causing floods of messages about the event api being to busy.

Looking forward for this feature to make it into release :smile:
We archive our Windows Events onto a central WEC server, which archives the logs into 500MB chunks. At the moment, that means, if you halt the Winlogbeat process for a couple of minutes, you will loose logs due to the rotation.

+1

@andrewkroh How relevant is this old meta issue?

It's still relevant. Currently we need to execute complex grok parsing with Logstash to make the output pretty.