Windows logs are sent to one syslog server then goes to ELK.
We have a default filtering in logstash with minor changes but it was to remove unnecessary fields (see below):
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
filter {
if [type] == "WindowsEventLog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program} %{DATA:syslog_facility} %{DATA:evenitID} - %{DATA:token} %{GREEDYDATA:syslog_message}" }
}
kv {
remove_field => [ "LogonType", "Opcode", "AccountType", "AuthenticationPackageName", "Domain", "EventReceivedTime", "FileName", "ImpersonationLevel", "IpPort", "KeyLength", "Keywords", "LmPackageName", "LogonGuid", "LogonProcessName", "OpcodeValue", "PackageName", "PreAuthType", "PrivlegeList", "ProcessName", "ProvideGuid", "ServiceName", "ServiceSid", "SourceModuleType", "Status", "SubjectDomainName", "SubjectLogonId", "SubjectUserSid", "TargetDomainName", "TargetSid", "TargetUserSid", "Task", "ThreadID", "TicketEncryptionType", "TicketOptions", "TransmittedServices", "UserID", "Version", "Version", "eventlog_channel", "eventlog_record_number", "eventlog_severity" ]
}
mutate {
lowercase => [ "EventType", "FileName", "Hostname", "Severity" ]
}
mutate {
rename => [ "Hostname", "source_host" ]
}
mutate {
gsub => ["source_host",".example.com",""]
}
date {
match => [ "EventTime", "YYYY-MM-dd HH:mm:ss" ]
}
mutate {
rename => [ "Severity", "eventlog_severity" ]
rename => [ "SeverityValue", "eventlog_severity_code" ]
rename => [ "Channel", "eventlog_channel" ]
rename => [ "SourceName", "eventlog_program" ]
rename => [ "SourceModuleName", "nxlog_input" ]
rename => [ "Category", "eventlog_category" ]
rename => [ "EventID", "eventlog_id" ]
rename => [ "RecordNumber", "eventlog_record_number" ]
rename => [ "ProcessID", "eventlog_pid" ]
}
if [SubjectUserName] =~ "." {
mutate {
replace => [ "AccountName", "%{SubjectUserName}" ]
}
}
if [TargetUserName] =~ "." {
mutate {
replace => [ "AccountName", "%{TargetUserName}" ]
}
}
if [FileName] =~ "." {
mutate {
replace => [ "eventlog_channel", "%{FileName}" ]
}
}
mutate {
lowercase => [ "AccountName", "eventlog_channel" ]
}
}
}