Add fields to winlogbeat events

ajhstn · May 24, 2019, 11:43am

Hello using winlogbeat and elasticsearch as the output (not logstash) can i create a key-value pari lookup database?

use case:
For event_id: 4625 i would like to include fields or do a lookup for the Status and Substatus fields, eg.

Is this best achieved with a processor?, such as below or something else?

processors:
  -add_fields:
    when:
      event_data.Status: 0xc000006d
        fields:
          "event_data.Status.Description": "This is either due to a bad username or authentication information"

andrewkroh · May 24, 2019, 9:38pm

You could accomplish this with either a series of add_fields processors on the Winlogbeat side or using an Ingest Node pipeline in Elasticsearch. With Ingest Node you would using the script processor to translate status codes.

ajhstn · May 24, 2019, 9:47pm

Thank you @andrewkroh could you please give me an example?

andrewkroh · May 24, 2019, 9:50pm

For add_fields it would be a series of processors:

processors:
  - add_fields:
      when:
        event_data.Status: "0xc000006d"
      fields:
        event_data.Status_Description: This is either due to a bad username or authentication information.
      target: ""
  - add_fields:
      when:
        event_data.Status: "0x123"
      fields:
        event_data.Status_Description: One two three
      target: ""

andrewkroh · May 24, 2019, 9:53pm

And BTW in Winlogbeat 7.2.0 there will be a new script processor that could be used too, but it's not released yet. With that new script processor you could write a switch statement.

ajhstn · May 25, 2019, 2:51am

Oh right, so i was almost there i just had my syntax wrong.. Good to know.

Regarding efficiency, would the processor or the ingest node method be better?

ajhstn · May 25, 2019, 3:24am

Dang! add_fields is not available in version 6.4!!

martinr_ubi · May 27, 2019, 10:30am

mmm, you could try to use the fields setting, which adds fields and can be use per "event_logs". (scoped to one "collector")
https://www.elastic.co/guide/en/beats/winlogbeat/6.4/configuration-winlogbeat-options.html#winlogbeat-configuration-fields

You would filter on the event id, 4625, use the "fields" setting to add the human readable string you want for a particular status and use the drop-event processor to drop all the events which do not have the status corresponding to the human readable string you just put in the fields setting.
Then rinse and repeat, add the same event_logs entry n times always just changing the string in "fields" and status code you don't drop.
So collect the same eventid through multiple collectors and always dropping the status that don't match (or go with...) the string. Once they're all there you should get what you want in the output.

Only thing I don't know is if winlogbeat allows you to filter on the same eventid multiple times. Never tried that but at face value I don't see why it would not be valid.

system · June 24, 2019, 12:31pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.