Microsoft WinRM Content Pack

The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.

Microsoft Windows Remote Management (WinRM) is the Microsoft implementation of the WS-Management protocol that enables remote administration of Windows systems. This technology pack processes Microsoft-Windows-WinRM/Operational event logs, providing normalization and enrichment of WinRM session, operation, authentication, and error events.

Supported Versions

  • Windows Server 2012 R2 or later

  • Windows 10 or later

  • NXLog 2.10 (im_msvistalog)

  • Winlogbeat 8.x

Requirements

  • Graylog 7.1+ with a valid Enterprise license

  • WinRM Operational event log collection enabled on the source host

  • NXLog or Winlogbeat agent forwarding the Microsoft-Windows-WinRM/Operational channel

Log Collection and Delivery

WinRM logs are collected via NXLog or Winlogbeat running on the WinRM host (client or server) and delivered to a Graylog input.

NXLog Collection

Configure NXLog to read the Microsoft-Windows-WinRM/Operational channel and forward via GELF.

  1. Configure an im_msvistalog input with QueryXML targeting Channel='Microsoft-Windows-WinRM/Operational'.

  2. Configure an om_tcp or om_udp output with the GELF format pointed at your Graylog GELF input.

Winlogbeat Collection

Configure Winlogbeat to read the Microsoft-Windows-WinRM/Operational channel.

  1. Add an event_logs entry named Microsoft-Windows-WinRM/Operational.

  2. Configure the Logstash or Beats output to deliver to your Graylog Beats input.

Stream Configuration

This technology pack includes 1 stream:

  • "Illuminate:WinRM Event Messages"

Hint: If this stream does not exist prior to the activation of this pack then it is created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream.

Index Set Configuration

This technology pack includes 1 index set definition:

  • "WinRM Event Messages"

Hint: If this index set is already defined, then nothing is changed. If this index set does not exist, then it is created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

What is Provided

  • Parsing rules to extract WinRM Operational event log fields into Graylog schema-compatible fields for both NXLog and Winlogbeat agents.

  • Lookup-based enrichment of WSMan/WinRM error codes to human-readable descriptions.

  • Normalization of WinRM operation names (e.g. Enumeration, Get, Invoke, Subscribe) to a canonical event_action verb.

  • Graylog Information Model (GIM) categorization for WinRM authentication, authorization, network connection, and service lifecycle events under the authentication, network, and service categories.

  • Network direction tagging (inbound/outbound) for session lifecycle events (6, 80, 91).

  • WinRM Spotlight content pack with one overview dashboard.

Events Processed by This Technology Pack

The content pack processes events from the Microsoft-Windows-WinRM/Operational channel.

  • Session lifecycle events (6, 80, 91): outbound session creation, request dispatch, inbound session reception

  • Operation events (132, 142, 143, 172, 774, 775, 1025, 1048, 1840, 1843, 2049): WSMan operation success, failure, response handling, and protocol diagnostics

  • Authentication events (161, 164, 169, 1291, 1295): user and machine authentication failures and successful credential validation

  • Authorization events (192, 1536): post-authentication access decisions

  • Service lifecycle events (208, 210, 213, 215, 224): WinRM service start, stop, security/plugin errors, and configuration change

GIM Categorization

GIM categorization is provided for the following messages:

Event ID Description gim_event_type_code gim_event_class gim_event_category gim_event_subcategory gim_event_type
6, 80 WinRM outbound session created or request dispatched 120200 protocol network network.open network connection initiated
91 WinRM inbound session received on the server 120000 protocol network network.network_connection network connection
161 User authentication failure on the remote system 100501 authentication authentication authentication.credential validation credential validation error
164 Destination machine authentication failure on the client 100501 authentication authentication authentication.credential validation credential validation error
169 User authenticated to remote system 100000, 100500 authentication authentication authentication.logon, authentication.credential validation logon and credential validation
192 WinRM authorization granted to authenticated user 101000 authentication authentication authentication.access notice access notice
208 WinRM service startup initiated 210000 endpoint service service.start service started
210 WinRM service stop failure 210100 endpoint service service.stop service stopped
213 WinRM service security error 211504 endpoint service service.state service error
215 WinRM service plugin loading error 211504 endpoint service service.state service error
224 WinRM service configuration change 211000 endpoint service service.configuration service configuration change
1291 Client authentication success 100000, 100500 authentication authentication authentication.logon, authentication.credential validation logon and credential validation
1295 Server authentication success 100000, 100500 authentication authentication authentication.logon, authentication.credential validation logon and credential validation
1536 WinRM authorization completed successfully 101000 authentication authentication authentication.access notice access notice

Fields Extracted by This Pack

Fields extracted from WinRM Operational events. Some fields are only present on specific event IDs.

Field Name Example Value Field Type Description
event_code 142 long Windows event ID
event_log_name microsoft-windows-winrm/operational string Windows event log channel name
event_received_time 2024-06-11 15:10:36 string Timestamp the event was received by the agent
event_reporter WIN-CLIENT01 string Hostname of the agent reporting the event
event_source WIN-CLIENT01 string Source host for the event
event_source_product windows_winrm string Illuminate source product identifier
event_uid 1303 string Windows event record ID
event_action allowed string Canonical access-control decision: blocked for auth failures (161, 164), allowed for auth successes (169, 1291, 1295) and inbound sessions (91); not set for protocol/operation events
event_outcome success string Outcome of the event (success or failure); set on session, operation, authentication, service, quota, and error events. Not set on diagnostic/trace events (145, 254, 2048) or events without a definitive outcome (80, 166, 208, 224)
event_severity high string Canonical severity (critical, high, medium, low, informational) derived from vendor_event_severity
event_severity_level 4 integer Canonical severity level (1-5) derived from event_severity by core
application_name winrm string Application name set on session and authentication events
network_direction outbound string Direction of the WinRM session (inbound for event 91, outbound for events 6 and 80)
source_reference 10.0.0.5 string Source host or IP for inbound session events
destination_reference WIN-SERVER01 string Destination host for outbound session events
user_name DOMAIN\Administrator string User account associated with the WinRM authentication event
windows_authentication_package_name Kerberos string Authentication mechanism negotiated for the WinRM session
vendor_event_action Enumeration string WSMan operation name (Enumeration, Get, Put, Create, Delete, Invoke, Subscribe, ...)
event_error_code 2150858770 string WSMan/WinRM error code
event_error_description WSManFault: The WS-Management service cannot process the request because the request contained invalid selectors for the resource string Human-readable description of the WinRM error code, resolved via lookup
vendor_data_resource_uri http://schemas.microsoft.com/powershell/Microsoft.PowerShell string WSMan resource URI for the request
vendor_data_plugin_name Microsoft.PowerShell string WinRM plugin name (event 215)
vendor_data_action_uri http://schemas.xmlsoap.org/ws/2004/09/transfer/Get string WSMan action URI (event 1025)
vendor_data_configuration_name MaxConcurrentOperationsPerUser string WinRM configuration setting name (event 224)
vendor_data_configuration_value 1500 string WinRM configuration setting value (event 224)
vendor_data_operation_count 1500 integer Concurrent operation count (event 774 quota exceeded)
vendor_data_max_operations 1500 integer Maximum concurrent operations limit (event 774)
vendor_data_request_count 100 integer Request count within the throttling window (event 775)
vendor_data_window_time 60 integer Throttling window in seconds (event 775)
vendor_data_delay_hint 5000 integer Suggested client delay in milliseconds (event 775)
vendor_data_security_warning Untrusted client connection rejected string Security warning text (event 1843)
http_response_code 500 integer HTTP response code from the WSMan service (event 1048)
vendor_event_category response handling string Vendor-supplied event category
vendor_event_severity ERROR string Vendor-supplied event severity
vendor_event_severity_level 4 integer Vendor-supplied numeric severity level
vendor_opcode Stop string Vendor-supplied opcode
vendor_opcode_value 2 integer Vendor-supplied numeric opcode value
gim_event_type_code 100501 integer GIM event type code (set on authentication events 161, 169, 1295)

WinRM Spotlight Content Pack

The WinRM Spotlight offers a dashboard with the following tabs:

WinRM Overview