How to make a graph with winlogbeat


(Julien) #1

Hi,

Im a total beginner with the ELK stack so forgive me if I say horrible things...

I have a ELK running on Ubuntu and a Windows Server 2012 R2.

I would like to have a graph showing me WHO and WHAT people are deleting on my file server.
My audits settings are good, in my event viewer I can see the ID 4663.

Winlogbeat on my Windows Server is sending logs to ELK.

In Kibana, I did create a Index for winlogbeat and I can see my logs.

I would like to make a graph with the following field:

  • event_data.ObjectName
  • event_data.SubjectUserName
  • event_data.ObjectType (optionnal)

Can you please help me, Im really lost with the graphs in Kibana...

Thanks in advance and have a good day.


(Tim Roes) #2

Hi Julien,

sorry for the very late response.

The only horrible thing you said here is "ELK stack". It's called "Elastic Stack" nowadays, since there are already some more components, than Elasticsearch Logstash Kibana (e.g. Beats, Swiftype, etc.) :upside_down_face:

But to your actual question: For me this sounds a lot, like you actually want to see the individual deletions and not just summed up data? Visualization are all based on aggregations and thus sum up data. This would be useful if you e.g. want to see which user deleted the most, or which files got deleted the most (doesn't make too much sense in this case I guess, since you don't delete a file multiple times).

From your questions I understand, that you would rather just have a list of all deletions showing, who deleted what. In this case you should work with Discover. You can customize which columns are shown, by just looking (or searching) for the fields in the left sidebar and click "add" behind the field. That way you can just add those three wished fields as columns to your field. Now you can apply a filter on the top, that will filter just the deletion documents. I don't have a windows machine running, thus I unfortunately cannot tell you which field exactly has which value for deletions, but I guess you anyway figured that already out. If you now save this discover view, you can load it any time later to check it, or you can add it to any dashboard.

I hope that answer helped you getting starting building what you need. Please feel free to come back with any more questions.

Cheers,
Tim


(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.