input {
beats {
port => 5044
ssl => true
type => "json"
ssl_certificate => "/etc/pki/tls/certs/abc.crt"
ssl_key => "/etc/pki/tls/private/abc.key"
}
}
filter {
if [type] == "wineventlog" {
ruby {
code => "
event.get('event_data').each {|k, v|
event.set(k, v)
}
event.remove('event_data')
"
}
mutate {
rename => [ "[host][name]", "hostname" ]
}
mutate {
remove_field => [ "tags", "opcode", "@version", "beat", "message", "LogonGuid", "ProcessId", "ProcessName", "SubjectLogonId", "SubjectUserSid", "TargetInfo", "TargetLogonGuid", "activity_id", "event_id", "opcode", "process_id", "provider_guid", "record_number", "param10", "param11", "param4", "param5", "param8", "thread_id", "param7", "LmPackageName", "IpPort", "ImpersonationLevel", "KeyLength", "TransmittedServices", "TargetLogonId", "TargetUserSid", "host" ]
}
}
}
output {
influxdb {
host => ["192.168.100.1"]
port => 8086
user => "admin"
password => "admin"
db => "dac_demo"
measurement => "winevent_log"
allow_time_override => "true"
time_precision => "s"
use_event_fields_for_data_points => "true"
exclude_fields => ["message", "@timestamp", "@version", "sequence", "type", "ElevatedToken", "LogonProcessName", "TargetDomainName", "task", "TargetLinkedLogonId", "VirtualAccount", "PrivilegeList"]
send_as_tags => ["host", "source"]
data_points => { }
}
stdout {
codec => rubydebug
}
}
Error:
[2018-12-18T15:21:10,775][WARN ][logstash.outputs.influxdb] Non recoverable exception while writing to InfluxDB {:exception=>#<InfluxDB::Error: {"error":"unable to parse 'winevent_log computer_name="windows-user1.example.com",source_name="Microsoft-Windows-Security-Auditing",log_name="Security",hostname="windows-user1",SubjectUserName="SYSTEM",keywords=["Audit Success"],level="Information",SubjectDomainName="NT AUTHORITY" 1545124867': invalid boolean\nunable to parse 'winevent_log computer_name="windows-user1.example.com",IpAddress="-",log_name="Security",SubjectUserName="windows-user1$",level="Information",RestrictedAdminMode="-",TargetOutboundDomainName="-",AuthenticationPackageName="Negotiate",TargetUserName="SYSTEM",source_name="Microsoft-Windows-Security-Auditing",hostname="windows-user1",keywords=["Audit Success"],SubjectDomainName="example",version=2i,WorkstationName="-",LogonType="5",TargetOutboundUserName="-" 1545124867': invalid boolean"}
Logstash fields like:
{
"computer_name" => "windows-user1.example.com",
"IpAddress" => "-",
"task" => "Logon",
"log_name" => "Security",
"VirtualAccount" => "%%1843",
"SubjectUserName" => "windows-user1.example$",
"level" => "Information",
"@timestamp" => 2018-12-18T09:02:16.033Z,
"RestrictedAdminMode" => "-",
"AuthenticationPackageName" => "Negotiate",
"TargetOutboundDomainName" => "-",
"TargetUserName" => "SYSTEM",
"LogonProcessName" => "Advapi ",
"type" => "wineventlog",
"TargetLinkedLogonId" => "0x0",
"source_name" => "Microsoft-Windows-Security-Auditing",
"TargetDomainName" => "NT AUTHORITY",
"hostname" => "windows-user1.example",
"keywords" => [
[0] "Audit Success"
],
"ElevatedToken" => "%%1842",
"SubjectDomainName" => "EXAMPLE",
"version" => 2,
"WorkstationName" => "-",
"LogonType" => "5",
"TargetOutboundUserName" => "-"
What is wrong?
Wish help