Ipadress shown in kibana from winlogbeats

fatmafouad_y · November 3, 2017, 9:30pm

hello ,

I did prepare a logstash.conf that brings for me ip address from host (winlogbeats). but didn't reach my goal ... all my components are latest version. I need help

input {
beats {
port => 5044
}
}

filter {
grok {
match => { message => "%{SYSLOGTIMESTAMP:datetime} %{HOSTNAME:hostname} kernel: [UFW %{DATA:action}] IN=(%{DATA:int_in}) OUT=(%{DATA:int_out}) (MAC=%{DATA:macaddr})?SRC=%{IP:srcip} DST=%{IP:dstip} %{GREEDYDATA:ufw_opts} PROTO=%{WORD:protocol} (SPT=%{WORD:srcport})? ?(DPT=%{WORD:dstport})?"}
}

}

output {
elasticsearch {
hosts => "localhost:9200" # it used to be "host" and "port" pre-2.0
index => "FW2"
}
}

andrewkroh · November 6, 2017, 2:09pm

Your Logstash output config does not follow the recommended config. Have you read through the Winlogbeat Getting Started Guide?

What version of Winlogbeat? What version of Windows? What is the message you are trying to parse? From what event log and source is this event generated? What is it's event ID number? If you can provide a sample event as produced by Winlogbeat in JSON form this would help us help you as it would answer all these questions.

For event sources that produce structured data grok is unnecessary. For example, event ID 4625 from the Security log produces a field named event_data.IpAddress that contains just the IP and therefore parsing is not needed. Here are more sample events showing how event_data contains the parameters used in the message.

system · December 4, 2017, 2:09pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.