I have seen the query example from Reporting Windows Security Events in Kibana but still quite couldn't understand how to do it.
Instead, I have installed the beats-input plugin and filter-translate plugin as to create the beats-input.conf. Here is the .conf file.
input {
beats {
port => 5044
}
}
filter {
translate {
field => "status_code"
destination => "description"
dictionary_path => ["C:/logstash/dictionary.yaml"]
}
}
output {
elasticsearch {
hosts => "localhost:9200"
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}
where the dictionary.yaml stores data referenced from Windows Security Log Encyclopedia
For example:
"512": Windows NT is starting up
"513": Windows is shutting down
"514": An authentication package has been loaded by the Local Security Authority
"515": A trusted logon process has registered with the Local Security Authority
"516": Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits
"517": The audit log was cleared
But it seems that there is no any results (logs) received as seen from the kibana. However, when between I stop and start winlogbeat again, new log files are created as seen from ProgramData File.
I have found that when I start winlogbeat with elasticsearch as output then the logs can be displayed in kibana while it cant when start with logstash as output.