ECS: Converting winglogbeats for Sysmon/Security to Logstash

elkn00b · May 10, 2020, 6:55pm

I'm in the process of converting the winlogbeats javascript to Logstash, and I want to be sure I'm correctly interpreting some of the javascript.

In the snip below, is the winlogbeats.js template for Sysmon separating the binary from the file path and putting just the binary into the process.name, process.executable, process.parent.executable, and process.parent.name ECS fields?

    var setProcessNameUsingExe = function (evt) {
        setProcessNameFromPath(evt, "process.executable", "process.name");
    };

    var setParentProcessNameUsingExe = function (evt) {
        setProcessNameFromPath(
            evt,
            "process.parent.executable",
            "process.parent.name"
        );
    };

    var setProcessNameFromPath = function (evt, pathField, nameField) {
        var name = evt.Get(nameField);
        if (name) {
            return;
        }
        var exe = evt.Get(pathField);
        evt.Put(nameField, **path.basename(exe)**);
    };

Also, because the path.basename(exe) contains the 'exe' string, would it only do that for exe files?

Regards,

Matt

andrewkroh · May 11, 2020, 11:36pm

It sets the process.name field with the basename of the process.executable if and only if process.name is not set.

system · June 8, 2020, 11:36pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Processes are not logged in winlogbeat Beats winlogbeat	2	459	August 8, 2020
New sysmon event_id 22, DNS Query Beats	4	869	September 14, 2019
Winlogbeat Services v. Command Line Implementation Beats winlogbeat	3	319	July 20, 2021
Mapping Winlogbeat old version to newest ECS Beats ecs-elastic-common-schema , winlogbeat	3	736	June 14, 2021
Winlogbeat Parser Modification Beats elastic-stack-alerting , winlogbeat , elastic-agent	4	467	April 15, 2021

ECS: Converting winglogbeats for Sysmon/Security to Logstash

Related topics