winlogbeat-my computer
logstash-(GCP Compute Engine)
Winlogbeat sends sysmon field from logstash.
Filtering is as follows,
It was written in a format that maps the ProcessCreate event.
However, writing this way works well.
---logstash.conf---
input {
beats {
port => 5044
}
}
filter{
if([event][code]==1){
grok{
match=>{"message"=>'.*?\n?RuleName: (?<RuleName>.+\n).*?UtcTime: (?<UtcTime>.+\n).*?ProcessGuid: (?<ProcessGuid>.+\n).*?ProcessId: (?<ProcessId>.+\n).*?Image: (?<Image>.+\n).*?FileVersion: (?<FileVersion>.+\n).*?Description: (?<Description>.+\n).*?Product: (?<Product>.+\n).*?Company: (?<Company>.+\n).*?OriginalFileName: (?<OriginalFileName>.+\n).*?CommandLine: (?<CommandLine>.+\n).*?CurrentDirectory: (?<CurrentDirectory>.+\n).*?User: (?<User>.+\n).*?LogonGuid: (?<LogonGuid>.+\n).*?LogonId: (?<LogonId>.+\n).*?TerminalSessionId: (?<TerminalSessionId>.+\n).*?IntegrityLevel: (?<IntegrityLevel>.+\n).*?Hashes: (?<Hashes>.+\n).*?ParentProcessGuid: (?<ParentProcessGuid>.+\n).*?ParentProcessId: (?<ParentProcessId>.+\n).*?ParentImage: (?<ParentImage>.+\n).*?ParentCommandLine: (?<ParentCommandLine>.+)'}
}
}
}
output {
elasticsearch {
hosts => ["http://localhost:9200"]
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
}
}
If I create a remove_field, mutate area, it doesn't work.
Data does not pass from winlogbeat to logstash.
input {
beats {
port => 5044
}
}
filter{
if([event][code]==1){
grok{
match=>{"message"=>'.*?\n?RuleName: (?<RuleName>.+\n).*?UtcTime: (?<UtcTime>.+\n).*?ProcessGuid: (?<ProcessGuid>.+\n).*?ProcessId: (?<ProcessId>.+\n).*?Image: (?<Image>.+\n).*?FileVersion: (?<FileVersion>.+\n).*?Description: (?<Description>.+\n).*?Product: (?<Product>.+\n).*?Company: (?<Company>.+\n).*?OriginalFileName: (?<OriginalFileName>.+\n).*?CommandLine: (?<CommandLine>.+\n).*?CurrentDirectory: (?<CurrentDirectory>.+\n).*?User: (?<User>.+\n).*?LogonGuid: (?<LogonGuid>.+\n).*?LogonId: (?<LogonId>.+\n).*?TerminalSessionId: (?<TerminalSessionId>.+\n).*?IntegrityLevel: (?<IntegrityLevel>.+\n).*?Hashes: (?<Hashes>.+\n).*?ParentProcessGuid: (?<ParentProcessGuid>.+\n).*?ParentProcessId: (?<ParentProcessId>.+\n).*?ParentImage: (?<ParentImage>.+\n).*?ParentCommandLine: (?<ParentCommandLine>.+)'}
}
mutate {
convert => {
"RuleName" => "text"
"UtcTime" => "text"
"ProcessGuid" => "text"
"ProcessId" => "text"
"Image" => "text"
"FileVersion" => "text"
"Description" => "text"
"Product" => "text"
"Company" => "text"
"OriginalFileName" => "text"
"CommandLine" => "text"
"CurrentDirectory" => "text"
"User" => "text"
"LogonGuid" => "text"
"TerminalSessionId" => "text"
"IntegrityLevel" => "text"
"ParentProcessGuid" => "text"
"Hashes" => "text"
"ParentProcessId" => "text"
"ParentImage" => "text"
"ParentCommandLine" => "text"
}
remove_field => ["message"]
}
}
}
output {
elasticsearch {
hosts => ["http://localhost:9200"]
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
}
}
Could you solve it?
ps: I check vaild use bin/logstash --config.test_and_exit -f /etc/logstash/conf.d/logstash.conf
This has passed.