Account Name with "space" or "-" makes two log entries

ryan.rusiana · February 22, 2017, 1:03am

HI,

I am relatively new to ELK. I have one cluster one node setup and almost everything are set to default.

All WIndows logs are sent to this instance. The primary goal for this installation is for daily log events monitoring.

Everything is working fine except for the logs with account name or groups that has a space or hypen i.e. user 1 or user-1 or group 1.

This happens when I go to Kibana to create a visualization for a sample report.

What is the best way to ensure that accounts with spaces or "-" won't get ignored and won't get treated separately?

Looking forward for your response.

warkolm · February 22, 2017, 1:32am

How does this happen?

Have a look at setting the mapping for that field to a keyword.

ryan.rusiana · February 22, 2017, 1:57am

Windows logs are sent to one syslog server then goes to ELK.

We have a default filtering in logstash with minor changes but it was to remove unnecessary fields (see below):

filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
filter {
if [type] == "WindowsEventLog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program} %{DATA:syslog_facility} %{DATA:evenitID} - %{DATA:token} %{GREEDYDATA:syslog_message}" }
}
kv {
remove_field => [ "LogonType", "Opcode", "AccountType", "AuthenticationPackageName", "Domain", "EventReceivedTime", "FileName", "ImpersonationLevel", "IpPort", "KeyLength", "Keywords", "LmPackageName", "LogonGuid", "LogonProcessName", "OpcodeValue", "PackageName", "PreAuthType", "PrivlegeList", "ProcessName", "ProvideGuid", "ServiceName", "ServiceSid", "SourceModuleType", "Status", "SubjectDomainName", "SubjectLogonId", "SubjectUserSid", "TargetDomainName", "TargetSid", "TargetUserSid", "Task", "ThreadID", "TicketEncryptionType", "TicketOptions", "TransmittedServices", "UserID", "Version", "Version", "eventlog_channel", "eventlog_record_number", "eventlog_severity" ]
}
mutate {
lowercase => [ "EventType", "FileName", "Hostname", "Severity" ]
}
mutate {
rename => [ "Hostname", "source_host" ]
}
mutate {
gsub => ["source_host",".example.com",""]
}
date {
match => [ "EventTime", "YYYY-MM-dd HH:mm:ss" ]
}
mutate {
rename => [ "Severity", "eventlog_severity" ]
rename => [ "SeverityValue", "eventlog_severity_code" ]
rename => [ "Channel", "eventlog_channel" ]
rename => [ "SourceName", "eventlog_program" ]
rename => [ "SourceModuleName", "nxlog_input" ]
rename => [ "Category", "eventlog_category" ]
rename => [ "EventID", "eventlog_id" ]
rename => [ "RecordNumber", "eventlog_record_number" ]
rename => [ "ProcessID", "eventlog_pid" ]
}

    if [SubjectUserName] =~ "." {
        mutate {
            replace => [ "AccountName", "%{SubjectUserName}" ]
        }
    }
    if [TargetUserName] =~ "." {
        mutate {
            replace => [ "AccountName", "%{TargetUserName}" ]
        }
    }
    if [FileName] =~ "." {
        mutate {
            replace => [ "eventlog_channel", "%{FileName}" ]
        }
    }

    mutate {
        lowercase => [ "AccountName", "eventlog_channel" ]
    }

}
}

ryan.rusiana · February 22, 2017, 2:09am

[/quote]

Sorry for the response earlier. The fields that I'm referring to we're all set to "String".

system · March 22, 2017, 2:09am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.