Hi all
I try to enrich the information that I send to Logstash.
I'd like to add a field in the winlogbeat index with a label like administrator and in this field I'd like to set YES for the user that is admin of the pc/server or NO for the user that is not admin of the pc/server.
Is it possible? At the moment I don't found solution...
Thank you
Franco
Yes. It is possible using Logstash Mutate plugin.
filter {
mutate {
add_tag => [ "tag-name" ]
}
}
There is more information:
https://www.elastic.co/guide/en/logstash/current/plugins-filters-mutate.html
Hi @vasek I could add a tag ADMIN for the administrators user in the logstash filter, but how could I found the administrators user? In the winlogbeat.yml file could I set this configuration?
I need an example
Thank you
Franco
In winlogbeat filebeat you can add field for specific log file. This can be useful if you have separated log for adminstrators and users.. e.g.: adminsitrators.log, users.logs.
If you have mixed content in log.. you have to parse eveng, for example using Grok patterns in logstash. Based on result of parsing you can tag events.
Ok I like the idea to have two log, one for administrators and one for users. How could I set the winlogbeat.yml file to have this 2 files?
Thank you
Franco
Sry. I thought about filebeat.. I am going to edit answer.
Thank you @vasek. I'm waiting your reply...
Franco
Based on eventID you can filter some messages.
There is some event ID list:
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx
Or try to parse events using Grok patterns in logstash. Based on result of parsing you can tag events.
I know this list but I don't have a grok patterns to give me the result of user admin or user simple.
Do you have some idea?
Thank you
Franco
1) Tag events based on selected eventID
if ( [eventID] == 42 or [eventID] == 2019 ) {
do something ... e.g.: add tag or field to document
}
2) Parsing Windows Events
Look at a document which is collected by Filebeat from Windows server. You can use CURL utility or Kibana to see this document. You will parse field where message is present.
You can test your Grok pattern in Kibana - Dev Tools - Grok Debugger. There is nice explanation.
There is some prepared Grok Reg Exp.
Thank you @vasek I know all information that you give me.
I found a script in windows that give in output all administrator users. Is it possible in winlogbeat to check if the event capture is created by one of this users (that I could store in a text file)?
Thank you
Franco
I am not sure that you can do it on Winlogbeat side. You can definitely filter based on e.g.:
More about filtering here.
Filtering messages on Logstash could be fine.. try Logstash translate filter plugin.
You can provide list of users to this plugin.
Good luck.
Hi,
please allow me to come back to the original question and how identify, which mode the actual beat is running at the moment.
I hope I understood you correctly.
You can always identify which context the beat is running in using environment variables combines with conditionals:
https://www.elastic.co/guide/en/beats/winlogbeat/current/using-environ-vars.html#using-environ-vars
https://www.elastic.co/guide/en/beats/winlogbeat/master/defining-processors.html#defining-processors
With the help of that I can give you following differences:
CMD without admin mode
env variable: SESSIONNAME=Console
CMD with admin mode
missing env variable SESSIONNAME
Now the difference between a program execute in admin mode or in a service context
CMD with admin mode:
APPDATA=C:\Users\%USERNAME%\AppData\Roaming
LOCALAPPDATA=C:\Users\%USERNAME%\AppData\Local
TEMP=C:\Users\%USERNAME%\AppData\Local\Temp
TMP=C:\Users\%USERNAME%\AppData\Local\Temp
USERNAME=%USERNAME%
USERPROFILE=C:\Users\H4PC
CMD with Service mode:
APPDATA=C:\WINDOWS\system32\config\systemprofile\AppData\Roaming
LOCALAPPDATA=C:\WINDOWS\system32\config\systemprofile\AppData\Local
TEMP=C:\WINDOWS\TEMP
TMP=C:\WINDOWS\TEMP
USERNAME=%COMPUTERNAME%$
USERPROFILE=C:\WINDOWS\system32\config\systemprofile
These contexts belong to Windows 10 but should be similar under a Windows Server version.
So hope that helps a bit additionally.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.