Filter with winlogbeat

Elastic Stack Beats
1

Hello I got winlogbeat on my file server which brings up specifics ressources from an file audit, 4663, 4670 and 4659 events, well file activy actually.

I got an issue, I want to create a dashboard with the files the most used and also the folders the most used. But I just can't to this for folders, because of the filter operators :

image
image938×423 31.6 KB

Here is the files activity but as you can see the most used file, is actually a folder not a file. And when I'm trying to filter the data with a path, it just doesn't work at all.

I mean there is no "contains" filter, it's really embarassing, I would like to know which folders are the most used.

I'm using the "winlog.event_data.ObjectName" field which corresponds to the path of a file :

image
image1916×695 94.9 KB

Is there currently a way to make a "contains" filter just to get all data that contains a certain path for example?

Here is what I got when I try to filter by a folder :

image
image1453×607 45.1 KB

But it's kind of strange because the most used files in the dashboard is not a file but a folder C:\Windows\servicing\Packages

So I'm wondering why? I am not able to filter by saying "hey just give me the data thats contains this path" but the dashboard actually can wtf

I would like to get data of which folders and which files are the most used and maybe generate some report every month to get the top 250 files and top 250 folders activity.

Is it possible? If it's not, ELK is definitively useless for my use and it's sad, I am able to list which users are the most active but I can't with files and folders just because of the operators.

Does anybody has an idea?

1 Like
2

@BeyondRAM
When querying for Windows paths, you need escape some characters in KQL. There were few related posts which I found on discussion forum itself, may be try searching for your issues first :slight_smile:

Nevertheless, you can refer: Wildcard filter on a Windows path - #3 by willemdh or Issue on query string query for URL search based on if its on Discover tab or DevConsole respectively.

Also, I would suggest you to use path_hierarchy tokenizer for your your field which stores filesystem paths. For more information, please refer Path hierarchy tokenizer | Elasticsearch Guide [8.6] | Elastic

3

Thanks @Ayush_Mathur gonna try this, was wondering also how to load "older" events, like when I setup winlogbeat it actually only load new logs. How to force him to load the olders ones too?

I tried "start_position: beginning" in winlogbeat.yml but it seems not to work after repushing the winlogbeat conf and reloading winlogbeat service on server.

Like this :

winlogbeat.event_logs:
  - name: Security
    event_id: 4659, 4663, 4670
    start_position: beginning

Well idk if it's actually possible to load older events than "the futures" ones

Thanks for the answer im gonna test it

4

Sory, not sure really about sending old logs from winlogbeat. But there should be some option for ignore_older which would tell beats to ignore any entry older than this timeframe. May be try giving larger value.
In worst case, if you can deal with duplicate logs for some time (or if it's a test server), try deleting the registry and restart winlogbeat. This should ensure events are read from very first entry, unless ofcourse your event file has not archived or deleted.

1 Like
5

Well I tried both solutions from the topics an error for this method Issue on query string query for URL search

And no error for this one Wildcard filter on a Windows path - #3 by willemdh

But no results

I guess it's impossible to do what I want...

But I mean that's sad to have to search and test a lot of things just to do a ctrl + F in ELK which is amazing

Thanks for the answer @Ayush_Mathur

1 Like
6

@BeyondRAM , have you tried configuring path_hierarchy tokenizer for your filesystem paths ?

1 Like
7

Although the path_hierarchy tokenizer might be a workaround, it is not really user friendly and make things overcomplex. Besides, this would require us to override the builtin mappings, which is currently nearly impossible to do effectively, as with the new index / component templates every update the mappings get overwritten again.
It doesn't seem too much to ask from a search engine / siem to be able to wildcard search a Windows file path by default?

1 Like
8

Well that's what I thought, I read a couple of things about path_hierrachy tokenizer but it's a lot to do for a simple feature. I mean that's complex and it takes lot of time when you are not very familar with all those things :confused:

I hope something gonna be done in the futures updates, idk but I was very suprised when I didn't found the "contains" filter like wtf :sob: :sob:

1 Like
9

Just up to not be closed

1 Like
10

Will never die

1 Like
13

Just answering to keep this open as this really is problematic that we cant wildcard search in an efficient way on Windows paths..

14

I think that if this is needed, it needs to have a Github issue, without it Elastic will not even look on this issue.

Also, you can use wildcard query on the field winlog.event_data.ObjectName, it just need to be done on the discover search bar, not using the filter options of discover.

For example, using winlog.event_data.ObjectName: *System32* will show only documents where the string System32 is on the path.

Using winlog.event_data.ObjectName: (*System32* AND *Speech*) will show only documents where both System32 and Speech are on the path.

2 Likes
15

Thanks for the tip man this helped me really much !

16

Wondering if it also works with C:\\SomePath* or ?:\\SomePath\SomeOtherPath* on for example process.working_directory

I'll try testing this asap, see also Wildcard filter on a Windows path - #3 by willemdh

Imho it would be nice to see this working in filters too though, as those are used in Elastic SIEM?

17

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.