Filter Active Directory logs

Hanen · March 15, 2018, 5:05pm

Hello,

I would like to send only active directory logs with specific Id from logstash to

Elasticsearch.

Please! What config do I need to do at logstash configuration file to achieve this?

example of event_Id:"4625"===> "An account failed to log on",

thanks!!!!

yaauie · March 15, 2018, 5:32pm

The simplest way to do it is to wrap your elasticsearch output in a conditional:

input {
  # ...
}
filter {
  # ...
}
output {
  if [event_Id] == "4625" {
    elasticsearch {
      # ... Elasticsearch output config
    }
  }
}

It can get a bit cumbersome though, especially if your logic about whether or not to export an event gets complex; instead, I would change my logic to output on the presence of a tag (say, export), and would add a filter to inject this tag; that way when business requirements change and I need to export more things, I can just add simple statements to tag them and not worry about making a more complex conditional:

input {
  # ...
}
filter {
  # ...
  if [event_Id] == "4625" {
    mutate {
      add_tag => ["export"]
    }
  }
}
output {
  if "export" in [tags] {
    elasticsearch {
      # ... Elasticsearch output config
    }
  }
}

wwalker · March 15, 2018, 7:43pm

Use the Winlogbeat Beats agent. You can specify which logs and event IDs you'd like to have sent over.

https://www.elastic.co/guide/en/beats/winlogbeat/current/configuration-winlogbeat-options.html

winlogbeat.event_logs:
  - name: Security
    event_id: 4624, 4625, 4700-4800, -4735

system · April 12, 2018, 7:44pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.