Active Directory - Parse Message Log and Username

Hi,

I am trying to build a simple report for something like AD group changes. Wondering if the "message" in the event ID can be parsed further?(ie have more fields) Also wondering if any regex can be applied. For example, instead of the entire account name in the CN format, just grab part of it. My understanding is logstash can do this :slight_smile:

I'm working off EventID 4728

A member was added to a security-enabled global group.

Subject:

Security ID: ACME\Administrator
Account Name: Administrator
Account Domain: ACME
Logon ID: 0x27a79

Member:

Security ID: ACME\gkhan
Account Name: cn=Ghenghis Khan,CN=Users,DC=acme,DC=local

Group:

Security ID: S-1-5-21-3108364787-189202583-342365621-1108
Group Name: Historical Figures
Group Domain: ACME

Additional Information:

Privileges: -

So for example, I would like A member was added to a security-enabled global group to be a field. I would also like to have a field just for the Security ID and Account name, also parsing the format to just the Name.

I've found this post:
https://www.syspanda.com/index.php/2018/01/09/monitoring-domain-group-membership-changes-elk/

However, the extra field short_message isn't being created. Here's a snippit incase the link is not allowed or removed.
filter {
if "winlogbeat" in [tags] and [event_id] == 4727 {
mutate {
add_field => { "short_message" => "A security-enabled global group was created" }
}
}
else if [event_id] == 4728 {
mutate {
add_field => { "short_message" => "A member was added to a security-enabled global group" }
}
}

Any feedback or suggestions would be awesome :slight_smile:

Thanks - AW

I would replace the long if else if else if else if with a call to a translate filter.

What does one of your events look like if you use this output?...

output { stdout { codec => rubydebug } }