Hello,
I would like to send only active directory logs with specific Id from logstash to
Elasticsearch.
Please! What config do I need to do at logstash configuration file to achieve this?
example of event_Id:"4625"===> "An account failed to log on",
thanks!!!!
The simplest way to do it is to wrap your elasticsearch output in a conditional:
input {
# ...
}
filter {
# ...
}
output {
if [event_Id] == "4625" {
elasticsearch {
# ... Elasticsearch output config
}
}
}
It can get a bit cumbersome though, especially if your logic about whether or not to export an event gets complex; instead, I would change my logic to output on the presence of a tag (say, export), and would add a filter to inject this tag; that way when business requirements change and I need to export more things, I can just add simple statements to tag them and not worry about making a more complex conditional:
input {
# ...
}
filter {
# ...
if [event_Id] == "4625" {
mutate {
add_tag => ["export"]
}
}
}
output {
if "export" in [tags] {
elasticsearch {
# ... Elasticsearch output config
}
}
}
Use the Winlogbeat Beats agent. You can specify which logs and event IDs you'd like to have sent over.
https://www.elastic.co/guide/en/beats/winlogbeat/current/configuration-winlogbeat-options.html
winlogbeat.event_logs:
- name: Security
event_id: 4624, 4625, 4700-4800, -4735This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.