Closed powgo377 closed 4 years ago
david9705
commented
4 years ago I also have same problem. event id : information 4802: screen saver 9999: object rename 1621: open calculator.exe ??: visit website Those logs are in the https://www.manageengine.com/products/active-directory-audit/kb/windows-event-log-id-list.html?tab=System, and cannot present in kibana.
dsnslab
commented
4 years ago Since those events belong to security in windows event viewer, you have to run winlogbeat as admin.
Winlogbeat can collect those events in default.
powgo377
commented
4 years ago I always run winlogbeat as admin to complete scenario a,b, and still can't get 4802-4803 xxxxx, looks like winlogbeat just not support that.
another reference here : https://github.com/elastic/beats/issues/16334 there are still working to support these event IDs.
dsnslab
commented
4 years ago We test screen saver now, and we use winlogbeat version 7.9.2 in default. https://www.elastic.co/downloads/beats/winlogbeat
We can see related log in Kibana.
Maybe you try again!
dsnslab
commented
4 years ago @david9705 visit website should be packetbeat
becca211137
commented
4 years ago I always run winlogbeat as admin to complete scenario a,b, and still can't get 4802-4803 xxxxx, looks like winlogbeat just not support that.
another reference here : elastic/beats#16334 there are still working to support these event IDs.
I also have this problem with 7.9.2 version, should I adjust other settings?
Otherwise, I can't observe the specified log on Event Viewer.
dsnslab
commented
4 years ago @becca211137 The reason you can't observe specific logs is because you have to audit the specific event that you are looking for.
official docs : https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-module-security.html
I think 4802-4803 4667-4668 is essential to this project, but winlogbeat doesn't support it, I wonder if this is expected, If yes, I think I need some hints : ( (maybe filebeat((? , I almost tried to modify and recompile winlogbeat ......)