Many many processors, how many is too many?

ajhstn · August 11, 2019, 3:06am

I have a very long winlogbeat processor list that does a heap of security related stuff like;

Add failure code descriptions

    - add_fields:
        when.equals.winlog.event_data.Status: "0xc000006a"
        fields:
          winlog.event_data.StatusDescription: "Bad password."
        target: ""
    - add_fields:
        when.equals.winlog.event_data.Status: "0xc000006e"
        fields:
          winlog.event_data.StatusDescription: "Unknown user name or bad password."
        target: ""

and

Add group mod descriptions

- add_fields:
    when.equals.winlog.event_id: 4727
    fields:
        winlog.event_data.Info: "A security-enabled global group was created."
    target: ""
- add_fields:
    when.equals.winlog.event_id: 4728
    fields:
        winlog.event_data.Info: "A member was added to a security-enabled global group."
    target: ""
- add_fields:
    when.equals.winlog.event_id: 4729
    fields:
        winlog.event_data.Info: "A member was removed from a security-enabled global group."
    target: ""

I have two questions;

Is this the most efficient way of doing this- if not can i have examples of other ways (without using Logstash)
I'd like to use ECS. To make use of ECS do i simply need to convert or copy the "username" fields to user.name using processors or is there a completely different official way to populate the user.name field and other ECS fields?

steffens · August 13, 2019, 9:15am

With windows event logs, throughput is normally limited by the Windows APIs itself.

for number of processors it maybe depends on the input configuration as well. Looking at your snipped I assume these are global processors. Each beat support local processors as well. This very often reduces the need for filtering, but also keeps processors close to where the events are generated (eases maintenance if you have a large set of inputs).

I'd like to use ECS. To make use of ECS do i simply need to convert or copy the "username" fields to user.name using processors or is there a completely different official way to populate the user.name field and other ECS fields?

Which username field? Which winlogbeat version are you using? Winlogbeat 7.x+ should use ECS, and if not I'd say it's a bug.

system · September 10, 2019, 11:15am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Winlogbeat and ECS Beats winlogbeat	8	2012	October 30, 2018
How to collect more than 22 event ids with winlogbeat? Beats winlogbeat	2	1103	April 13, 2018
Winlogbeat New ECS Fields and security module questions Beats ecs-elastic-common-schema , winlogbeat	16	2254	October 4, 2019
Winlogbeat multiple add_fields processors throws an error Beats winlogbeat	2	627	May 26, 2020
Add fields to winlogbeat events Beats winlogbeat	8	985	June 24, 2019

Many many processors, how many is too many?

Add failure code descriptions

Add group mod descriptions

Related topics