Hanen
(Hanen)
May 7, 2018, 8:29am
1
Hello,
Please how can I create a filter AD event on winlogbeat ?(security,application,system)
I add some event id on each section but it doesn't work.
Thank You.
what I have written on winlogbeat.yml:
Security:4634,4624-4625,4608-4609,4700-4800,4611,4616,4618,4621,4627,
4646-4649,4657,4662-4664,4670,4672-4674,4819,4825,4864-4902,4908,4913,
4928-4937,4946-4960,4964
Application:5038,5039,4668
System: 4648,4657,4760,4688-4689,4697-4699
adrisr
(Adrian Serrano)
May 7, 2018, 10:30am
2
Hi @Hanen ,
Can you please tell us which version of Winlogbeat are you using and share your winlogbeat.yml
?
Enclose your configuration between triple-backticks: ``` ..configuration.. ``` so it gets properly formatted.
Hanen
(Hanen)
May 7, 2018, 10:40am
3
Thanks for your replay,
version of winlogbeat: 6.2.2
My winlogbeat.yml like the following:
winlogbeat.event_logs:
- name: Application
ignore_older: 24h
event_id: 5038,5039,4668
- name: Security
ignore_older: 24h
event_id:4634,4624-4625,4608-4609,4700-4800,4611,4616,4618,4621,4627,
4646-4649,4657,4662-4664,4670,4672-4674,4819,4825,4864-4902,4908,4913,
4928-4937,4946-4960,4964
- name: System
ignore_older: 24h
event_id:4648,4657,4760,4688-4689,4697-4699
name: "NOM"
output.logstash:
hosts: ["@logstash:5044"]
Many thanks!!!!!!!
adrisr
(Adrian Serrano)
May 7, 2018, 11:39am
4
The indenting in your configuration is wrong. event_id
should have the same indentation as ignore_older
:
winlogbeat.event_logs:
- name: Application
ignore_older: 24h
event_id: 5038,5039,4668
- name: Security
ignore_older: 24h
event_id:4634,4624-4625,4608-4609,4700-4800,4611,4616,4618,4621,4627,4646-4649,4657,4662-4664,4670,4672-4674,4819,4825,4864-4902,4908,4913,4928-4937,4946-4960,4964
- name: System
ignore_older: 24h
event_id:4648,4657,4760,4688-4689,4697-4699
Hanen
(Hanen)
May 7, 2018, 11:46am
5
Yes in winlogbeat.yml event_id have the same indentation as ignore_older but it it doesn't work.
in winlogbeat.log: WARN EventLog[Security] Open() error. No events will be read from this source. The specified query is invalid
Hanen
(Hanen)
May 7, 2018, 11:50am
6
Can I create a processor like this?
processors:
- drop_event.when.and:
- equals.log_name: Security
- not.or:
- equals.event_id: 4634
- equals.event_id: 4624-4625
- equals.event_id: 4608-4609
- equals.event_id: 4700-4800
- equals.event_id: 4611
- equals.event_id: 4616
- equals.event_id: 4618
- equals.event_id: 4621
- equals.event_id: 4627
- equals.event_id: 4646-4649
- equals.event_id: 4657
- equals.event_id: 4662-4664
- equals.event_id: 4670
- equals.event_id: 4672-4674
- equals.event_id: 4819
- equals.event_id: 4825
- equals.event_id: 4864-4902
- equals.event_id: 4908
- equals.event_id: 4913
- equals.event_id: 4928-4937
- equals.event_id: 4946-4960
- equals.event_id: 4964
Is it true?
thanks
adrisr
(Adrian Serrano)
May 7, 2018, 1:46pm
7
I recommend you use the event_id
filtering, as it is more efficient than a drop_event processor.
There were still some errors in your configuration. It worked for me with this:
winlogbeat.event_logs:
- name: Application
ignore_older: 24h
event_id: '5038,5039,4668'
- name: Security
ignore_older: 24h
event_id: '4634,4624-4625,4608-4609,4700-4800,4611,4616,4618,4621,4627,4646-4649,4657,4662-4664,4670,4672-4674,4819,4825,4864-4902,4908,4913,4928-4937,4946-4960,4964'
- name: System
ignore_older: 24h
event_id: '4648,4657,4760,4688-4689,4697-4699'
Hanen
(Hanen)
May 10, 2018, 9:56am
8
adrisr:
It worked for me
Hello, thank you so much, it worked for me
system
(system)
Closed
June 7, 2018, 9:56am
9
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.