Filtering events by message contents / Custom Processor

jojo.pornebo · November 3, 2016, 4:02am

I'd like to ask for help on writing a processor configuration to do the following:

filter on keyword from the event log message (example the application event log message has the word(s)/phrase - "forcibly closed")
include the event in the output file

Or
-filter on keyword

include the event in the output file plus,
run a powershell script as an extra step it has to do

Can someone give me the actual yml section script for doing this task ?

I could not find more guides for creating filtering/processing scripts for winlogbeat. Please direct me to an online article, ebook or guide to learn more and become an expert in beats/winlogbeats configuration and processing/filtering because we have a huge Windows farm.

Please help. TNX.

Jojo

andrewkroh · November 3, 2016, 5:12pm

Here is the documentation for processors.

You can include events based on message content by using the drop_event processor with a regex condition.

processors:                                                                                                                                                              
- drop_event.when.not.regexp.message: "forcibly closed"

You cannot execute a script. What did you want to accomplish with the script? We are currently considering a feature that would allow invoking a script to collect additional information that should be added to the event. This feature is discussed here: https://github.com/elastic/beats/issues/2186

You can write your own processor in Go and use it with Beats if you compile your own version of the beat.

jojo.pornebo · November 7, 2016, 4:13pm

I tried that filter in WinLogBeat - it works.

However, I really wanted to pass all events to a file and at the same time trigger for any special event by keyword. I'm trying to send an alert once there is a mission critical problem and is evident by the presence of an event log entry.
It seems that I cannot do the filtering/triggering right up-front from the onset of the creation of the event log.

Which part of ELK will be able to do trigger an alarm (like send mail) in an event there is a keyword match ?

andrewkroh · November 7, 2016, 4:58pm

This is provided by Watcher which is part of X-Pack. You can setup a watch that will send an email (or take some other action) when there is a keyword match. X-pack is free to try, some features require a subscription after the trial period

jojo.pornebo · November 7, 2016, 5:21pm

Watcher

That's what I found out too. It's too unfortunate that Windows can trigger events but only based from a an event ID and not from a keyword.

We are currently considering a feature that would allow invoking a script ...

When will this be available ?

andrewkroh · November 7, 2016, 6:55pm

I'm not sure what you mean. What feature in Windows can trigger events (actions?) based on event ID?

We don't this feature scheduled in any release yet. It is still being evaluated and considered. It is not a generic processor for execute scripts. It's for adding time-invariant metadata to events.

jojo.pornebo · November 7, 2016, 7:10pm

In Windows 2012 you can use the " Event Viewer “Attach Task to This Event…” feature to create the task"

But filter options does not include by keyword.

andrewkroh · November 7, 2016, 7:22pm

Cool, I have never used that feature. Thanks

system · November 28, 2016, 7:23pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.