Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

winlogbeat 7.8 event.outcome on non-english OS #20079

Closed
okoehler-okocon opened this issue Jul 21, 2020 · 2 comments · Fixed by #20564
Closed

winlogbeat 7.8 event.outcome on non-english OS #20079

okoehler-okocon opened this issue Jul 21, 2020 · 2 comments · Fixed by #20564
Labels
bug Winlogbeat

Comments

@okoehler-okocon
Copy link

Hello,

i just encountered that winlogbeat 7.8 is not setting eventOutcomes on non-english OS correctly (here in German)

this is the original Events in winlogbeat-security.js and that will not catch the german translation in the eventlog

var eventOutcomes = {
"Audit Success": "success",
"Audit Failure": "failure",
};

this works...
var eventOutcomes = {
"Audit Success": "success",
"Audit Failure": "failure",
"Überwachung erfolgreich": "success",
"Überwachung fehlgeschlagen": "failure"
};
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Jul 21, 2020
@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Jul 21, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

@willemdh
Copy link

(Same for Dutch events)

@andrewkroh andrewkroh mentioned this issue Aug 11, 2020
Merged
6 tasks
andrewkroh added a commit to andrewkroh/beats that referenced this issue Aug 11, 2020
@andrewkroh
Set event.outcome based on raw keyword value
6659f48 
Set the event.outcome value if the event contains the "audit failure" or "audit success" keywords.
The `Keywords` value in the XML is a hex value where each bit can represent a keyword. So this
checks if the audit success or audit failure bits are set then adds `event.outcome` as either
"success" or "failure".

I removed similar logic from the Security module since it is now redundant. That logic was based
on string matching of the keyword name (rather than number) so it had problems when the OS
language was not English.

Fixes elastic#20079
andrewkroh added a commit that referenced this issue Aug 14, 2020
@andrewkroh
Set event.outcome based on raw keyword value (#20564)
16ea8e2 
Set the event.outcome value if the event contains the "audit failure" or "audit success" keywords.
The `Keywords` value in the XML is a hex value where each bit can represent a keyword. So this
checks if the audit success or audit failure bits are set then adds `event.outcome` as either
"success" or "failure".

I removed similar logic from the Security module since it is now redundant. That logic was based
on string matching of the keyword name (rather than number) so it had problems when the OS
language was not English.

Fixes #20079
@andrewkroh andrewkroh mentioned this issue Aug 14, 2020
Merged
6 tasks
andrewkroh added a commit to andrewkroh/beats that referenced this issue Aug 14, 2020
@andrewkroh
Set event.outcome based on raw keyword value (elastic#20564)
f28dc90 
Set the event.outcome value if the event contains the "audit failure" or "audit success" keywords.
The `Keywords` value in the XML is a hex value where each bit can represent a keyword. So this
checks if the audit success or audit failure bits are set then adds `event.outcome` as either
"success" or "failure".

I removed similar logic from the Security module since it is now redundant. That logic was based
on string matching of the keyword name (rather than number) so it had problems when the OS
language was not English.

Fixes elastic#20079

(cherry picked from commit 16ea8e2)
@andrewkroh andrewkroh mentioned this issue Aug 14, 2020
Merged
6 tasks
andrewkroh added a commit to andrewkroh/beats that referenced this issue Aug 24, 2020
@andrewkroh
Set event.outcome based on raw keyword value (elastic#20564)
92645c2 
Set the event.outcome value if the event contains the "audit failure" or "audit success" keywords.
The `Keywords` value in the XML is a hex value where each bit can represent a keyword. So this
checks if the audit success or audit failure bits are set then adds `event.outcome` as either
"success" or "failure".

I removed similar logic from the Security module since it is now redundant. That logic was based
on string matching of the keyword name (rather than number) so it had problems when the OS
language was not English.

Fixes elastic#20079

(cherry picked from commit 16ea8e2)
andrewkroh added a commit that referenced this issue Aug 24, 2020
@andrewkroh
Set event.outcome based on raw keyword value (#20564) (#20611)
c1c966e 
Set the event.outcome value if the event contains the "audit failure" or "audit success" keywords.
The `Keywords` value in the XML is a hex value where each bit can represent a keyword. So this
checks if the audit success or audit failure bits are set then adds `event.outcome` as either
"success" or "failure".

I removed similar logic from the Security module since it is now redundant. That logic was based
on string matching of the keyword name (rather than number) so it had problems when the OS
language was not English.

Fixes #20079

(cherry picked from commit 16ea8e2)
andrewkroh added a commit that referenced this issue Aug 24, 2020
@andrewkroh
Set event.outcome based on raw keyword value (#20564) (#20612)
2ff1931 
Set the event.outcome value if the event contains the "audit failure" or "audit success" keywords.
The `Keywords` value in the XML is a hex value where each bit can represent a keyword. So this
checks if the audit success or audit failure bits are set then adds `event.outcome` as either
"success" or "failure".

I removed similar logic from the Security module since it is now redundant. That logic was based
on string matching of the keyword name (rather than number) so it had problems when the OS
language was not English.

Fixes #20079

(cherry picked from commit 16ea8e2)
melchiormoulin pushed a commit to melchiormoulin/beats that referenced this issue Oct 14, 2020
@andrewkroh @melchiormoulin
Set event.outcome based on raw keyword value (elastic#20564)
86cbac8 
Set the event.outcome value if the event contains the "audit failure" or "audit success" keywords.
The `Keywords` value in the XML is a hex value where each bit can represent a keyword. So this
checks if the audit success or audit failure bits are set then adds `event.outcome` as either
"success" or "failure".

I removed similar logic from the Security module since it is now redundant. That logic was based
on string matching of the keyword name (rather than number) so it had problems when the OS
language was not English.

Fixes elastic#20079
leweafan pushed a commit to leweafan/beats that referenced this issue Apr 28, 2023
@andrewkroh
Set event.outcome based on raw keyword value (elastic#20564) (elastic…
59b8c83 
…#20612)

Set the event.outcome value if the event contains the "audit failure" or "audit success" keywords.
The `Keywords` value in the XML is a hex value where each bit can represent a keyword. So this
checks if the audit success or audit failure bits are set then adds `event.outcome` as either
"success" or "failure".

I removed similar logic from the Security module since it is now redundant. That logic was based
on string matching of the keyword name (rather than number) so it had problems when the OS
language was not English.

Fixes elastic#20079

(cherry picked from commit f252dbc)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Winlogbeat
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Winlogbeat] Set event.outcome based on raw keyword value andrewkroh/beats
5 participants
@andresrc @andrewkroh @willemdh @elasticmachine @okoehler-okocon