---
title: Winlogbeat fields
description: Fields from the Windows Event Log. All fields specific to the Windows Event Log are defined here. This is a non-exhaustive list of parameters that are...
url: https://www.elastic.co/elastic/docs-builder/docs/3028/reference/beats/winlogbeat/exported-fields-winlog
products:
- Beats
- Winlogbeat
applies_to:
- Elastic Cloud Serverless: Generally available
- Elastic Stack: Generally available
---
# Winlogbeat fields
Fields from the Windows Event Log.
The raw XML representation of the event obtained from Windows. This field is only available on operating systems supporting the Windows Event Log API (Microsoft Windows Vista and newer). This field is not included by default and must be enabled by setting `include_xml: true` as a configuration option for an individual event log. The XML representation of the event is useful for troubleshooting purposes. The data in the fields reported by Winlogbeat can be compared to the data in the XML to diagnose problems.
## winlog
All fields specific to the Windows Event Log are defined here.
A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity.
type: keyword
required: False
The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`.
type: keyword
required: True
The domain of the account that was added, modified or deleted in the event.
type: keyword
required: False
A globally unique identifier that identifies the target device.
type: keyword
required: False
The account name that was added, modified or deleted in the event.
type: keyword
required: False
The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows.
type: object
required: False
## event_data
This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs.
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
type: keyword
The event identifier. The value is specific to the source of the event.
type: keyword
required: True
The keywords are used to classify an event.
type: keyword
required: False
The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration.
type: keyword
required: True
The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0.
type: keyword
required: True
A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier.
type: keyword
required: False
The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged.
type: keyword
required: False
A globally unique identifier that identifies the provider that logged the event.
type: keyword
required: False
The process_id of the Client Server Runtime Process.
type: long
required: False
The source of the event log record (the application or service that logged the record).
type: keyword
required: True
The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field.
type: keyword
required: False
The event creation time.
type: date
required: False
The decimal value of attributes for new trust created to a domain.
type: keyword
required: False
The direction of new trust created to a domain. Possible values are `TRUST_DIRECTION_DISABLED`, `TRUST_DIRECTION_INBOUND`, `TRUST_DIRECTION_OUTBOUND` and `TRUST_DIRECTION_BIDIRECTIONAL`
type: keyword
required: False
The account name that was added, modified or deleted in the event. Possible values are `TRUST_TYPE_DOWNLEVEL`, `TRUST_TYPE_UPLEVEL`, `TRUST_TYPE_MIT` and `TRUST_TYPE_DCE`
type: keyword
required: False
type: long
required: False
The event specific data. This field is mutually exclusive with `event_data`.
type: object
required: False
The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be.
type: keyword
example: S-1-5-21-3541430928-2051711210-1391384369-1001
required: False
Name of the user associated with this event.
type: keyword
The domain that the account associated with this event is a member of.
type: keyword
required: False
The type of account associated with this event.
type: keyword
required: False
The version number of the event's definition.
type: long
required: False