Hi,
I am trying to build a simple report for something like AD group changes. Wondering if the "message" in the event ID can be parsed further?(ie have more fields) Also wondering if any regex can be applied. For example, instead of the entire account name in the CN format, just grab part of it. My understanding is logstash can do this
I'm working off EventID 4728
A member was added to a security-enabled global group.
Subject:
Security ID: ACME\Administrator
Account Name: Administrator
Account Domain: ACME
Logon ID: 0x27a79
Member:
Security ID: ACME\gkhan
Account Name: cn=Ghenghis Khan,CN=Users,DC=acme,DC=local
Group:
Security ID: S-1-5-21-3108364787-189202583-342365621-1108
Group Name: Historical Figures
Group Domain: ACME
Additional Information:
Privileges: -
So for example, I would like A member was added to a security-enabled global group to be a field. I would also like to have a field just for the Security ID and Account name, also parsing the format to just the Name.
I've found this post:
https://www.syspanda.com/index.php/2018/01/09/monitoring-domain-group-membership-changes-elk/
However, the extra field short_message isn't being created. Here's a snippit incase the link is not allowed or removed.
filter {
if "winlogbeat" in [tags] and [event_id] == 4727 {
mutate {
add_field => { "short_message" => "A security-enabled global group was created" }
}
}
else if [event_id] == 4728 {
mutate {
add_field => { "short_message" => "A member was added to a security-enabled global group" }
}
}
Any feedback or suggestions would be awesome
Thanks - AW