windows environment beats input from windows event forwarder server. data is comming in not problem but the filter seems to be circumvented. the config was written for linux ubuntu,
input {
beats {
port => 5044
add_field => { "[@metadata][source]" => "beats"}
type => "winlogbeat"
}
}
filter {
if [type] == "winlogbeat"{
if [event_id] == 4103 {
mutate {
add_field => [ "PayloadInvocation", "%{[event_data][Payload]}" ]
add_field => [ "PayloadParams", "%{[event_data][Payload]}" ]
gsub => [
"[event_data][ContextInfo]", " ", "",
"[event_data][ContextInfo]", " = ", "="
]
}
mutate {
gsub => [
"PayloadInvocation", "CommandInvocation(.)", "commandinvocation",
"PayloadInvocation", "ParameterBinding.\r\n", "",
"PayloadParams", "parameterbinding(.)", "parameterbinding",
"PayloadParams", "CommandInvocation.\r\n", "",
"[event_data][Payload]", "CommandInvocation.\r\n", "",
"[event_data][Payload]", "ParameterBinding.\r\n", ""
]
rename => { "[event_load][Payload]" => "[powershell][payload]" }
}
kv {
source => "PayloadInvocation"
field_split => "\n"
value_split => ":"
allow_duplicate_values => false
target => "[powershell]"
include_keys => [ "commandinvocation" ]
}
kv {
source => "PayloadParams"
value_split => "="
allow_duplicate_values => false
target => "[powershell][param]"
include_keys => [ "name", "value" ]
}
kv {
source => "[event_data][ContextInfo]"
field_split => "\r\n"
value_split => "="
remove_char_key => " "
allow_duplicate_values => false
include_keys => [ "Severity", "HostName", "HostVersion", "HostID", "HostApplication", "EngineVersion", "RunspaceID", "PipelineID", "CommandName", "CommandType", "ScriptName", "CommandPath", "SequenceNumber", "ConnectedUser", "ShellID" ]
}
mutate {
rename => {
"CommandName" => "[powershell][command][name]"
"CommandPath" => "[powershell][command][path]"
"CommandType" => "[powershell][command][type]"
"ConnectedUser" => "[powershell][connected][user]"
"EngineVersion" => "[powershell][engine][version]"
"HostApplication" => "[powershell][host][application]"
"HostID" => "[powershell][host][id]"
"HostName" => "[powershell][host][name]"
"HostVersion" => "[powershell][host][version]"
"PipelineID" => "[powershell][pipeline][id]"
"RunspaceID" => "[powershell][runspace][id]"
"Scriptname" => "[powershell][script][name]"
"SequenceNumber" => "[powershell][sequence][number]"
"ShellID" => "[powershell][shell][id]"
}
remove_field => [
"Severity",
"EventType",
"Keywords",
"message",
"Opcode",
"PayloadInvocation",
"PayloadParams",
"[event_data][Payload]",
"[event_data][ContextInfo]"
]
convert => { "[powershell][pipeline][id]" => "integer" }
convert => { "[powershell][sequence][number]" => "integer" }
}
}
if [event_id] == 4104 {
mutate {
rename => {
"[event_data][MessageNumber]" => "[powershell][message][number]"
"[event_data][MessageTotal]" => "[powershell][message][total]"
"[event_data][ScriptBlockId]" => "[powershell][scriptblock][id]"
"[event_data][ScriptBlockText]" => "[powershell][scriptblock][text]"
"[event_data][Path]" => "[powershell][script][path]"
}
remove_field => [ "message" ]
convert => { "[powershell][message][number]" => "integer" }
convert => { "[powershell][message][total]" => "integer" }
convert => { "[powershell][scriptblock][id]" => "integer" }
}
}
if [event_id] == 400 or [event_id] == 600 {
kv {
source => "[event_data][param3]"
field_split => "\n"
value_split => "="
trim_key => "\t"
allow_duplicate_values => false
}
mutate {
rename => {
"ProviderName" => "[powershell][providername]"
"NewProviderState" => "[powershell][newproviderstate]"
"SequenceNumber" => "[powershell][sequencenumber"
"HostName" => "[powershell][host][name]"
"HostVersion" => "[powershell][host][version]"
"HostId" => "[powershell][host][id]"
"HostApplication" => "[powershell][host][application]"
"EngineVersion" => "[powershell][engine][version]"
"RunspaceId" => "[powershell][runspace][id]"
"PipelineId" => "[powershell][pipeline][id]"
"CommandName" => "[powershell][command][name]"
"CommandType" => "[powershell][command][type]"
"ScriptName" => "[powershell][script][name]"
"CommandPath" => "[powershell][command][path]"
"CommandLine" => "[powershell][command][line]"
"NewEngineState" => "[powershell][newengine][state]"
"PreviousEngineState" => "[powershell][previousengine][state]"
}
remove_field => [ "message" ]
remove_field => "[event_data][param1]"
remove_field => "[event_data][param2]"
remove_field => "[event_data][param3]"
}
}
}
}
output {
if [log_name] == "Microsoft-Windows-Sysmon/Operational"{
elasticsearch {
hosts => ["127.0.0.1:9200"]
index => "logs-endpoint-winevent-sysmon-%{+YYYY.MM.dd}"
template => "/ELK/6.0.0/logstash/logstash-6.0.0/output_templates/winevent-sysmon- template.json"
template_name => "logs-endpoint-winevent-sysmon"
template_overwrite => true
document_id => "%{[@metadata][log_hash]}"
user => "XXXXXXXXXXX"
password => "XXXXXXXXX"
}
}
}
in kibana