Hello.
I need help about Logstash configuration. I like to define a Filter that extract specific information from my Windows Event Log. For example, In below Windows Event log I just need the Account name and the file or folder that deleted.
2017-08-16T02:52:49+04:30 172.30.10.17 WIN-4EQI0PB1GO1 MSWinEventLog 4 Security 41 Wed Aug 16 02:52:48 2017 4663 Microsoft-Windows-Security-Auditing WIN-4EQI0PB1GO1\Administrator N/A Success Audit WIN-4EQI0PB1GO1 File System An attempt was made to access an object. Subject: Security ID: S-1-5-21-1303077657-3015995219-3935651026-500 Account Name: Administrator Account Domain: WIN-4EQI0PB1GO1 Logon ID: 0x16cda Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\Desktop\New folder\mic Handle ID: 0x3ac Process Information: Process ID: 0x35c Process Name: C:\Windows\explorer.exe Access Request Information: Accesses: DELETE Access Mask: 0x10000 40 path:/var/log/172.30.10.17/messages @timestamp:August 15th 2017, 00:22:13.667 @version:1 host:localhost.localdomain type:syslog tags:netsyslog _id:AV3kxXsuDr9iQpHqoXMQ _type:syslog _index:index_name-2017.08.15 _score: -
Can you show me some example or advice?
Thank you.