Many many processors, how many is too many?

ajhstn · August 11, 2019, 3:06am

I have a very long winlogbeat processor list that does a heap of security related stuff like;

Add failure code descriptions

    - add_fields:
        when.equals.winlog.event_data.Status: "0xc000006a"
        fields:
          winlog.event_data.StatusDescription: "Bad password."
        target: ""
    - add_fields:
        when.equals.winlog.event_data.Status: "0xc000006e"
        fields:
          winlog.event_data.StatusDescription: "Unknown user name or bad password."
        target: ""

and

Add group mod descriptions

- add_fields:
    when.equals.winlog.event_id: 4727
    fields:
        winlog.event_data.Info: "A security-enabled global group was created."
    target: ""
- add_fields:
    when.equals.winlog.event_id: 4728
    fields:
        winlog.event_data.Info: "A member was added to a security-enabled global group."
    target: ""
- add_fields:
    when.equals.winlog.event_id: 4729
    fields:
        winlog.event_data.Info: "A member was removed from a security-enabled global group."
    target: ""

I have two questions;

Is this the most efficient way of doing this- if not can i have examples of other ways (without using Logstash)
I'd like to use ECS. To make use of ECS do i simply need to convert or copy the "username" fields to user.name using processors or is there a completely different official way to populate the user.name field and other ECS fields?

steffens · August 13, 2019, 9:15am

With windows event logs, throughput is normally limited by the Windows APIs itself.

for number of processors it maybe depends on the input configuration as well. Looking at your snipped I assume these are global processors. Each beat support local processors as well. This very often reduces the need for filtering, but also keeps processors close to where the events are generated (eases maintenance if you have a large set of inputs).

I'd like to use ECS. To make use of ECS do i simply need to convert or copy the "username" fields to user.name using processors or is there a completely different official way to populate the user.name field and other ECS fields?

Which username field? Which winlogbeat version are you using? Winlogbeat 7.x+ should use ECS, and if not I'd say it's a bug.

system · September 10, 2019, 11:15am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.