How to get Username from GUID with Winlogbeats sending to Logstash

We recently setup Winlogbeats to send events to Logstash which then goes into Elastic Search and can be queried and visualized with Kibana. All is good there except many of the security related events that we receive have a GUID value instead of a username. Previously when we used another competing product we were able to create a lookup table to automatically convert these values to useful usernames for reporting and visualizations while the data was being injested. We've been trying to figure out how to do this with logstash and investigating the filter plugins or codec plugins to do this but haven't found a solution. This is a critical thing as we will not be able to migrate to Elastic Stack unless we can resolve this data issue.

If you have a mapping then you can do it using a translate filter.

If the userids are dymanic you setup a mapping in a different index and query for it using the elasticearch filter

The UserIDs would be changing as people are added and removed from the directory. I can probably make a script that gets a new list from AD and exports it. Would someone be able to give me an example of the JSON query I'd need to have as the output from the script to insert/update into a new index? I'm new to JSON in general.

Depending on your systems you could use python to query the AD ldap for all newly created account and extract the username, uid, primary group id and member groups. Then store that in elasticsearch.

The script to add the users could be something like this! of course you need to add the ldap part..

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.