Hello,
i want to monitor windows filesystem changes with elastic. I want to see what files are created and deleted by which user.
First i tried using auditbeat, which has the event.action which shows update, deletes, create and move. Exactly what i want to know. But the big problem is that the "who" is completely missing. The auditbeat documents contain no information about who performed the action.
So next i tried to use the windows events with winlogbeat. Those documents contain the user in winlog.event_data.SubjectUserName. But the big problem here is, that i could not figure out how to monitor file creation, moves, updates or renames.
As far as i know the windows events do not contain any rename information whatsoever, instead if i create a new folder C:\monitored path\test i get a create child 4656 Event on C:\monitored path\new folder and a 4663 delete event on C:\monitored path\new folder. But C:\monitored path\test does not appear in the eventlog until something else happens with it, like deletion. In that case there would be a 4663 delete event on the path.
So i can monitor who deletes which files using winlogbeat, or which events happen using auditbeat, but so far i could not figure out how to monitor who creats, moves, updates or renames because of the way the windows filesystem works and auditbeat is missing the user information. Any idea how to do this with elastic?
Best regards
Jonas