ContextQMD
Back to Beats

Security module fields [exported-fields-security]

docs/reference/winlogbeat/exported-fields-security.md

9.4.01.1 KB
Original Source

% This file is generated! See dev-tools/mage/generate_fields_docs.go

Security module fields [exported-fields-security]

These are the event fields specific to the module for the Security log.

winlog.logon [_winlog.logon]

Data related to a Windows logon.

winlog.logon.type : Logon type name. This is the descriptive version of the winlog.event_data.LogonType ordinal. This is an enrichment added by the Security module.

type: keyword

example: RemoteInteractive

winlog.logon.id : Logon ID that can be used to associate this logon with other events related to the same logon session.

type: keyword

winlog.logon.failure.reason : The reason the logon failed.

type: keyword

winlog.logon.failure.status : The reason the logon failed. This is textual description based on the value of the hexadecimal Status field.

type: keyword

winlog.logon.failure.sub_status : Additional information about the logon failure. This is a textual description based on the value of the hexidecimal SubStatus field.

type: keyword