How Filtering logstash output from winlogbeat using winevent More detail?

#Windwos event ID

#I have filtering using EventID and work 100% , but how to more specific filtering , i want to dinied QueryName below :

my config :

thanks.

To understanding.

Hi there,

I'm afraid I don't really get what you would like to do. Can you please be a bit more specific?

Also, can you post here a sample of what logstash spits out setting as output of your pipeline stadout{} and pasting here (properly indented and formatted) what it returns?

Thanks

#my output from logstash

and the result from logstash


#my question how to denied the result web site

  • becouse windows always automatic go to that URL

#I Want to monitoring in client who access the browser , so i use windows event "Microsoft-Windows-DNS-Client" to get the log .

#but how to filter like my fist qwestion

thanks for helping ,

I meant what it returns not what you wrote in your output section. Next to that elasticsearch output, put the line stdout{} so the same logs that are sent to ES are also written on the console, the exact way Logstash sees them. You should put in your output section of your conf file something like:

output {
  if [log_name] == "Microsoft-Windows-DNS-Client/Operational" and [@metadata][helk_parsed] == "yes" {
    elasticsearch {
      hosts => ["localhost:9200"]
      index => "logs-endpoint-winevent-dns-client-%{+YYYY.MM.dd}"
      document_id => "%{[@metadata][log_hash]}"
      #user => 'elastic'
      #password => 'elasticpassword'
    }

    stdout {}
  }
}

Anyway, if I got it right you want to exclude all those logs that have "win8.ipv6.microsoft.com." in the url_access field, right? Or do you want to exclude any log that even has that field, no matter the value inside it?

Finally, please in your next posts do not put screenshot of code because if you do so, other people have to rewrite everything you already wrote in order to replicate what you did. So take your piece of code, paste it here properly indented, you will see it not indented on the right (preview) event if it is indented on the left, like this:

Then you simply highlight your piece of code and click on the Preformatted text tool (image ) to make it like this:

Perfectly readable and ready to be copied and pasted.

Thanks for this, let me try this one.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.