[partintro]

--

This section contains detailed information about the available Windows event

log processing modules contained in {beatname_uc}. More details about each

module can be found in the module's documentation.

Winlogbeat modules are constructed using the

<<processor-script,script processor>> where all processing happens within

Winlogbeat before the events are delivered to the output.

The general goal of each module is to transform events by renaming fields to

comply with the {ecs-ref}/index.html[Elastic Common Schema] (ECS). The modules

may also apply additional categorization, tagging, and parsing as necessary.

The default configuration file included in packages has each of the modules

configured. To apply the modules to your own configuration file you must add

a `script` processor to your configuration file and point it at the included

script file for the module. The documentation for each module includes an

example.

[float]

=== Usage with Forwarded Events

The `ForwardedEvents` channel can contain events from multiple producers so you

may want to use multiple modules. This can be achieved by applying multiple

script processors that are guarded by a conditional `when` statement.

[source,yaml]

[float]

=== Modules

//pass macro block used here to remove Edit links from modules documentation because it is generated

pass::[<?edit_url?>]

include::modules_list.asciidoc[]

beta[]

The security module processes event log records from the Security log.

The module has transformations for the following event IDs:

* 4624 - An account was successfully logged on.

* 4625 - An account failed to log on.

* 4648 - A logon was attempted using explicit credentials.

More event IDs will be added.

[float]

=== Configuration

[source,yaml]

beta[]

The sysmon module processes event log records from the

https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon[Sysinternals

System Monitor] (Sysmon) which is a Windows service and device driver that logs

system activity to the event log. Sysmon is not bundled with Windows or

Winlogbeat and must be installed independently.

The default configuration file includes configuration for Sysmon. If you do not

have Sysmon installed Winlogbeat will log a warning that it could not read from

the `Microsoft-Windows-Sysmon/Operational` channel. It will continue to read

from the other configured channels. If you do install Sysmon at a later time

then a restart of Winlogbeat is required to make it begin reading from the

channel.

This module was built based on Sysmon v9 event manifests. It contains

transformations for each of the defined event IDs.

[float]

=== Configuration

[source,yaml]

This file is generated! See scripts/mage/docs.go or run 'mage docs'.

////

* <<{beatname_lc}-module-security,Security>>

* <<{beatname_lc}-module-sysmon,Sysmon>>

--

include::./modules/security.asciidoc[]

include::./modules/sysmon.asciidoc[]

package mage

import (

"fmt"

"io/ioutil"

"os"

"path/filepath"

"regexp"

"strings"

"github.com/pkg/errors"

"github.com/elastic/beats/dev-tools/mage"

)

const moduleDocsGlob = "module/*/_meta/docs.asciidoc"

var moduleNameRegex = regexp.MustCompile(`module\/(.*)\/_meta\/docs.asciidoc`)

var modulesListTmpl = `

`[1:]

func moduleDocs() error {

searchPath := filepath.Join(mage.XPackBeatDir(moduleDocsGlob))

// Find module docs.

files, err := mage.FindFiles(searchPath)

if err != nil {

return err

}

if len(files) == 0 {

return errors.Errorf("No modules found matching %v", searchPath)

}

// Clean existing files.

if err := os.RemoveAll(mage.OSSBeatDir("docs/modules")); err != nil {

return err

}

// Extract module name from path and copy the file.

var names []string

for _, f := range files {

matches := moduleNameRegex.FindStringSubmatch(filepath.ToSlash(f))

if len(matches) != 2 {

return errors.Errorf("module path %v does not match regexp", f)

}

name := matches[1]

names = append(names, name)

// Copy to the docs dirs.

if err = mage.Copy(f, mage.CreateDir(mage.OSSBeatDir("docs/modules", name+".asciidoc"))); err != nil {

return err

}

}

// Generate and write the docs/modules_list.asciidoc file.

content, err := mage.Expand(modulesListTmpl, map[string]interface{}{

"Modules": names,

})

if err != nil {

return err

}

fmt.Printf(">> update:moduleDocs: Collecting module documentation for %v.\n", strings.Join(names, ", "))

return ioutil.WriteFile(mage.OSSBeatDir("docs/modules_list.asciidoc"), []byte(content), 0644)

}

docs.RegisterDeps(Update.FieldDocs, Update.ModuleDocs)

mg.Deps(Update.Fields, Update.Dashboards, Update.Config, Update.FieldDocs, Update.ModuleDocs)

func (Update) ModuleDocs() error {

return moduleDocs()

}

beta[]

The security module processes event log records from the Security log.

The module has transformations for the following event IDs:

* 4624 - An account was successfully logged on.

* 4625 - An account failed to log on.

* 4648 - A logon was attempted using explicit credentials.

More event IDs will be added.

[float]

=== Configuration

[source,yaml]

beta[]

The sysmon module processes event log records from the

https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon[Sysinternals

System Monitor] (Sysmon) which is a Windows service and device driver that logs

system activity to the event log. Sysmon is not bundled with Windows or

Winlogbeat and must be installed independently.

The default configuration file includes configuration for Sysmon. If you do not

have Sysmon installed Winlogbeat will log a warning that it could not read from

the `Microsoft-Windows-Sysmon/Operational` channel. It will continue to read

from the other configured channels. If you do install Sysmon at a later time

then a restart of Winlogbeat is required to make it begin reading from the

channel.

This module was built based on Sysmon v9 event manifests. It contains

transformations for each of the defined event IDs.

[float]

=== Configuration

[source,yaml]