Hi, I am trying to use Winlogbeat to get a json file with Windows events. Winlogbeat produces ndjson, so I was trying to convert it to json like this:
When I run logstash with this configuration file, it does not save any output.json. The problem seems to be my ndjson does not contain an array like "message" from which I can parse the data. I tried:
input {
file {
path => ["c:/program files/winlogbeat/winlogbeat/data/*.ndjson"]
start_position => "beginning"
sincedb_path => "NUL"
}
}
filter {
json {
source => "message"
}
}
output {
file {
path => ["c:/program files/winlogbeat/winlogbeat/data/json/output.json"]
}
}`
And this doesn't output any file. I tried the following, as I don't have a message field:
filter {
json { }
}
But Logstash threw an error saying # SETTING MISSING.
I also tried with source => "winlog", which is a valid field in the njdson, and this works, I get a json file, but the content does not come with everything I need as that's just one of the fields.
Any ideas of how I can break this ndjson down to json? My data looks like this:
{
"@timestamp": "2024-04-01T13:23:03.476Z",
"@metadata": {
"beat": "winlogbeat",
"type": "_doc",
"version": "8.13.0"
},
"host": {
"mac": [
"xx-xx-xx-xx-xx-xx"
],
"name": "vm-demobox",
"hostname": "vm-jpl",
"architecture": "x86_64",
"os": {
"version": "10.0",
"family": "windows",
"name": "Windows Server 2019 Datacenter",
"kernel": "10.0.17763.5576 (WinBuild.160101.0800)",
"build": "17763.5576",
"type": "windows",
"platform": "windows"
},
"id": "xxxxxxx",
"ip": [
"xxx",
"xxx"
]
},
"ecs": {
"version": "8.0.0"
},
"agent": {
"type": "winlogbeat",
"version": "8.13.0",
"ephemeral_id": "xxx",
"id": "xxx",
"name": "vm-demobox"
},
"cloud": {
"account": {
"id": "xxx"
},
"instance": {
"id": "xxx",
"name": "vm-demobox"
},
"provider": "azure",
"machine": {
"type": "Standard_B4ms"
},
"service": {
"name": "Virtual Machines"
},
"region": "eastus"
},
"winlog": {
"activity_id": "{d16ec0cc-8859-4444-9a61-9d0224418a88}",
"event_id": "4625",
"provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"api": "wineventlog",
"channel": "Security",
"keywords": [
"Audit Failure"
],
"task": "Logon",
"process": {
"pid": 792,
"thread": {
"id": 908
}
},
"record_id": 118461,
"event_data": {
"FailureReason": "%%2313",
"SubStatus": "0xc0000064",
"WorkstationName": "-",
"IpPort": "0",
"LogonProcessName": "NtLmSsp ",
"AuthenticationPackageName": "NTLM",
"SubjectUserSid": "S-1-0-0",
"SubjectDomainName": "-",
"SubjectLogonId": "0x0",
"ProcessId": "0x0",
"ProcessName": "-",
"IpAddress": "87.251.75.120",
"Status": "0xc000006d",
"SubjectUserName": "-",
"TargetUserName": "OFFICE",
"KeyLength": "0",
"LmPackageName": "-",
"TransmittedServices": "-",
"LogonType": "3",
"TargetUserSid": "S-1-0-0"
},
"computer_name": "vm-demobox",
"opcode": "Info",
"provider_name": "Microsoft-Windows-Security-Auditing"
},
"event": {
"outcome": "failure",
"action": "Logon",
"created": "2024-04-01T13:23:05.348Z",
"code": "4625",
"kind": "event",
"provider": "Microsoft-Windows-Security-Auditing"
},
"log": {
"level": "information"
},
"message": "message text"
},
{
"@timestamp": "2024-04-01T13:23:03.476Z",
"@metadata": {
"beat": "winlogbeat",
"type": "_doc",
"version": "8.13.0"
},
"host": {
"mac": [
"xx-xx-xx-xx-xx-xx"
],
"name": "vm-demobox",
"hostname": "vm-jpl",
"architecture": "x86_64",
"os": {
"version": "10.0",
"family": "windows",
"name": "Windows Server 2019 Datacenter",
"kernel": "10.0.17763.5576 (WinBuild.160101.0800)",
"build": "17763.5576",
"type": "windows",
"platform": "windows"
},
"id": "xxxxxxx",
"ip": [
"xxx",
"xxx"
]
},
"ecs": {
"version": "8.0.0"
},
"agent": {
"type": "winlogbeat",
"version": "8.13.0",
"ephemeral_id": "xxx",
"id": "xxx",
"name": "vm-demobox"
},
"cloud": {
"account": {
"id": "xxx"
},
"instance": {
"id": "xxx",
"name": "vm-demobox"
},
"provider": "azure",
"machine": {
"type": "Standard_B4ms"
},
"service": {
"name": "Virtual Machines"
},
"region": "eastus"
},
"winlog": {
"activity_id": "{d16ec0cc-8859-4444-9a61-9d0224418a88}",
"event_id": "4625",
"provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"api": "wineventlog",
"channel": "Security",
"keywords": [
"Audit Failure"
],
"task": "Logon",
"process": {
"pid": 792,
"thread": {
"id": 908
}
},
"record_id": 118461,
"event_data": {
"FailureReason": "%%2313",
"SubStatus": "0xc0000064",
"WorkstationName": "-",
"IpPort": "0",
"LogonProcessName": "NtLmSsp ",
"AuthenticationPackageName": "NTLM",
"SubjectUserSid": "S-1-0-0",
"SubjectDomainName": "-",
"SubjectLogonId": "0x0",
"ProcessId": "0x0",
"ProcessName": "-",
"IpAddress": "87.251.75.120",
"Status": "0xc000006d",
"SubjectUserName": "-",
"TargetUserName": "OFFICE",
"KeyLength": "0",
"LmPackageName": "-",
"TransmittedServices": "-",
"LogonType": "3",
"TargetUserSid": "S-1-0-0"
},
"computer_name": "vm-demobox",
"opcode": "Info",
"provider_name": "Microsoft-Windows-Security-Auditing"
},
"event": {
"outcome": "failure",
"action": "Logon",
"created": "2024-04-01T13:23:05.348Z",
"code": "4625",
"kind": "event",
"provider": "Microsoft-Windows-Security-Auditing"
},
"log": {
"level": "information"
},
"message": "message text"
}
Thanks in advance!