Dear community
I'm using a data table to show the top count of event_id's found in my Winlogbeat index and I am searching for a way to have a column in the table with the description of the event_id as specified on the security module page.
I think I should be able to do this by passing Winlogbeat logs through Logstash which can then add fields depending on the event id but imo that seems very inefficient because I would add a lot of redundant text.
You could just paste that list into a markdown vis and put it next to the table on a dashboard. This saves you from adding any extra data and it's basically a lookup table for the person checking.
But I think most of them are added to the events in a winlogbeat index, don't have any data right now on my machine from the windows event log to check. If so, after doing the split by event ID you can also do one on Event Message/Description since there will only be one for each event ID you could get exactly what you want.
You can use static lookup using index field formatting or you just create another index with the mapping.
In the dashboard you have your Winlogbeat data table and a second table or markdown with the mapping. Its important to have the event ID in the same field in both indices
This doesn't look like a clean solution because when I order my event_id's differently the markdown doesn't change with it I think. Also when I try splitting the event message/description I get empty results because the messages contain usernames and id's so they are not unique.
Im looking into doing this and am trying to put al the event_id's with their description in a static lookup pattern which is a scripted field for my winlogbeat index.
I don't seem to fully understand how this static lookup works because I am required to fill in a script below.
As far as I know this will create a sort of condition for my index and if that event id is found a new field with description will be created.
it won't, indeed. Scripted field would work as well where you add a description for each type of event ID, something like:
def eventid= doc['event_id'].value;
if (eventid == 1234){
return "Event relating to windows logon"
}
and so on. It's kinda annoying to add of all them sadly.
I tried implementing this as you specified with return and also with a new field eg.
def eventid= doc['winlog.event_id'].value;
if (eventid == 4625){
doc['winlog.event_id.description'].value = "An account failed to log on"
}
When I check my discover after runnning the script I still can't find the description of field event_id where the event_id is 4625.
Also when trying to put the string in event_id.description the description doesn't get created.
When I 'return' in my if condition, where does this return refer to?
That it is annoying shouldn't be a problem since this is a one time operation.
No, don't use this:
doc['winlog.event_id.description'].value = "An account failed to log on" because it won't change the value of a field in the index.
Use return "an account failed to log on" instead and then use the scripted field as the field to split on in your data table.
I'm using this now and it works great. I did have to make sure the scripted field was of type string and that the eventid number comparison is between " " because it is also of type string.
def eventid = doc['winlog.event_id'].value;
if (eventid == "7036"){
return "A service changed state"
}
return null
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.