Filter :Active Directory Event


(Hanen) #1

Hello,

Please how can I create a filter AD event on winlogbeat ?(security,application,system)

I add some event id on each section but it doesn't work.

Thank You.

what I have written on winlogbeat.yml:

Security:4634,4624-4625,4608-4609,4700-4800,4611,4616,4618,4621,4627,
4646-4649,4657,4662-4664,4670,4672-4674,4819,4825,4864-4902,4908,4913,
4928-4937,4946-4960,4964

Application:5038,5039,4668

System: 4648,4657,4760,4688-4689,4697-4699


(Adrian Serrano) #2

Hi @Hanen,

Can you please tell us which version of Winlogbeat are you using and share your winlogbeat.yml ?

Enclose your configuration between triple-backticks: ``` ..configuration.. ``` so it gets properly formatted.


(Hanen) #3

Thanks for your replay,

  • version of winlogbeat: 6.2.2
    My winlogbeat.yml like the following:
winlogbeat.event_logs:
  - name: Application
    ignore_older: 24h
    event_id: 5038,5039,4668
  - name: Security
    ignore_older: 24h
 event_id:4634,4624-4625,4608-4609,4700-4800,4611,4616,4618,4621,4627,
4646-4649,4657,4662-4664,4670,4672-4674,4819,4825,4864-4902,4908,4913,
4928-4937,4946-4960,4964
  - name: System
    ignore_older: 24h
event_id:4648,4657,4760,4688-4689,4697-4699

name: "NOM"
output.logstash:
    hosts: ["@logstash:5044"] 

Many thanks!!!!!!!


(Adrian Serrano) #4

The indenting in your configuration is wrong. event_id should have the same indentation as ignore_older:

winlogbeat.event_logs:
  - name: Application
    ignore_older: 24h
    event_id: 5038,5039,4668
  - name: Security
    ignore_older: 24h
    event_id:4634,4624-4625,4608-4609,4700-4800,4611,4616,4618,4621,4627,4646-4649,4657,4662-4664,4670,4672-4674,4819,4825,4864-4902,4908,4913,4928-4937,4946-4960,4964
  - name: System
    ignore_older: 24h
    event_id:4648,4657,4760,4688-4689,4697-4699

(Hanen) #5

Yes in winlogbeat.yml event_id have the same indentation as ignore_older but it it doesn't work.
in winlogbeat.log: WARN EventLog[Security] Open() error. No events will be read from this source. The specified query is invalid


(Hanen) #6

Can I create a processor like this?

processors:
- drop_event.when.and:
    - equals.log_name: Security
    - not.or:
        - equals.event_id: 4634
        - equals.event_id: 4624-4625
        - equals.event_id: 4608-4609
        - equals.event_id: 4700-4800
        - equals.event_id: 4611
        - equals.event_id: 4616
        - equals.event_id: 4618
        - equals.event_id: 4621
        - equals.event_id: 4627
        - equals.event_id: 4646-4649
        - equals.event_id: 4657
        - equals.event_id: 4662-4664
        - equals.event_id: 4670
        - equals.event_id: 4672-4674
        - equals.event_id: 4819
        - equals.event_id: 4825
        - equals.event_id: 4864-4902
        - equals.event_id: 4908
        - equals.event_id: 4913
        - equals.event_id: 4928-4937
        - equals.event_id: 4946-4960
        - equals.event_id: 4964

Is it true?
thanks


(Adrian Serrano) #7

I recommend you use the event_id filtering, as it is more efficient than a drop_event processor.

There were still some errors in your configuration. It worked for me with this:

winlogbeat.event_logs:
  - name: Application
    ignore_older: 24h
    event_id: '5038,5039,4668'
  - name: Security
    ignore_older: 24h
    event_id: '4634,4624-4625,4608-4609,4700-4800,4611,4616,4618,4621,4627,4646-4649,4657,4662-4664,4670,4672-4674,4819,4825,4864-4902,4908,4913,4928-4937,4946-4960,4964'
  - name: System
    ignore_older: 24h
    event_id: '4648,4657,4760,4688-4689,4697-4699'

(Hanen) #8

Hello, thank you so much, it worked for me :wink::wink:


(system) #9

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.