Hello there !
I have the following Winlogbeat ouput in Logstash :
{
"ecs" => {
"version" => "1.4.0"
},
"log" => {
"level" => "information"
},
"@version" => "1",
"event" => {
"created" => "2020-04-06T09:50:11.918Z",
"provider" => "Microsoft-Windows-Security-Auditing",
"kind" => "event",
"action" => "Logon",
"code" => 4625
},
"message" => "An account failed to log on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWINSRV$\n\tAccount Domain:\t\tDEV\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t7\n\nAccount For Which Logon Failed:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tnets_srv\n\tAccount Domain:\t\tDEV\n\nFailure Information:\n\tFailure Reason:\t\tUnknown user name or bad password.\n\tStatus:\t\t\t0xC000006D\n\tSub Status:\t\t0xC000006A\n\nProcess Information:\n\tCaller Process ID:\t0x158\n\tCaller Process Name:\tC:\\Windows\\System32\\winlogon.exe\n\nNetwork Information:\n\tWorkstation Name:\tWINSRV\n\tSource Network Address:\t127.0.0.1\n\tSource Port:\t\t0\n\nDetailed Authentication Information:\n\tLogon Process:\t\tUser32 \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\n\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\n\nThe Process Information fields indicate which account and process on the system requested the logon.\n\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.",
"type" => "kafka",
"@timestamp" => 2020-04-06T09:49:43.872Z,
"agent" => {
"hostname" => "W2012-COLLECTOR",
"type" => "winlogbeat",
"ephemeral_id" => "1fa2a64f-dc3c-410c-aca7-6b14aa0145b3",
"version" => "7.6.1",
"id" => "06be6de9-4781-4bf5-9ba6-20705d2de775"
},
"winlog" => {
"event_data" => {
"SubjectUserSid" => "S-1-5-18",
"WorkstationName" => "WINSRV",
"TargetUserSid" => "S-1-0-0",
"TargetDomainName" => "DEV",
"ProcessId" => "0x158",
"ProcessName" => "C:\\Windows\\System32\\winlogon.exe",
"AuthenticationPackageName" => "Negotiate",
"IpAddress" => "127.0.0.1",
"LogonProcessName" => "User32 ",
"LogonType" => "7",
"SubjectLogonId" => "0x3e7",
"TargetUserName" => "nets_srv",
"SubjectDomainName" => "DEV",
"TransmittedServices" => "-",
"LmPackageName" => "-",
"SubjectUserName" => "WINSRV$",
"KeyLength" => "0",
"IpPort" => "0",
"SubStatus" => "0xc000006a",
"Status" => "0xc000006d",
"FailureReason" => "%%2313"
},
"api" => "wineventlog",
"provider_name" => "Microsoft-Windows-Security-Auditing",
"event_id" => 4625,
"task" => "Logon",
"provider_guid" => "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"opcode" => "Info",
"channel" => "Security",
"process" => {
"thread" => {
"id" => 3012
},
"pid" => 504
},
"computer_name" => "WINSRV.DEV.LOCAL",
"keywords" => [
[0] "Audit Failure"
],
"record_id" => 4547
},
"host" => {
"hostname" => "W2012-COLLECTOR",
"architecture" => "x86_64",
"id" => "93ff0365-54bb-474b-bd46-e30c717d86a7",
"os" => {
"version" => "6.3",
"name" => "Windows Server 2012 R2 Standard Evaluation",
"build" => "9600.0",
"kernel" => "6.3.9600.17031 (winblue_gdr.140221-1952)",
"family" => "windows",
"platform" => "windows"
},
"name" => "WINSRV.DEV.LOCAL"
}
}
I would like to add a field if code = 4625
Tried this :
filter {
if [code] == 4625 {
mutate {
add_field => [ "TEST", "OK" ]
}
}
}
But it doesn' works. Tried also with event.code == 4625 but no match also
Any idea why my filter doesn't catch the field ?
Thanks !