Multi-field on CommandLine in Winlogbeat

mathurin68 · January 2, 2018, 4:36pm

I'm working with Winlogbeat and I need event_data.CommandLine field to 'text' so I can run 'term' query on it and look for badness, I guess multi-fields is the way to go to add another field as text...

Trying to get my head around this without screwing up what I already have -

Current -

{
  "winlogbeat-2018.01.02": {
    "mappings": {
      "doc": {
        "event_data.CommandLine": {
          "full_name": "event_data.CommandLine",
          "mapping": {
            "CommandLine": {
              "type": "keyword",
              "ignore_above": 1024
            }
          }
        }
      }
    }
  }
}

Is this it?

PUT winlogbeat_multi
{
  "mappings": {
    "cmdline": {
      "properties": {
        "event_data.CommandLine": {
          "type": "keyword",
		  "ignore_above": 1024
          "fields": {
            "text": { 
              "type":  "text"
            }
          }
        }
      }
    }
  }
}

Questions:
A) So then I should be able to use term on "event_data.CommandLine.text"?
B) This index will then be re-created each day?

Thanks!

mathurin68 · January 2, 2018, 6:31pm

Even better would be to modify the default index to map strings to both text and keyword.

{
  "winlogbeat-2018.01.02": {
    "mappings": {
      "doc": {
        "_meta": {
          "version": "5.5.1"
        },
        "dynamic_templates": [
          {
            "strings_as_keyword": {
              "match_mapping_type": "string",
              "mapping": {
                "ignore_above": 1024,
                "type": "keyword"
              }
            }
          }
        ]

mathurin68 · January 4, 2018, 10:42pm

Finally got this to work, at least I learned some stuff...

I upgraded elkstack to 6.1.1 upgraded winlogbeats to 6.1.1 and then modified the winlogbeat.template.json

to make event.data use a multi-field, both text and keyword - best of both worlds baby!

{,
        {
          "event_data": {
            "mapping": {
              "type": "text",
              "fields": {
                "keyword": {
                  "type": "keyword",
                  "ignore_above": 256
                }
              }
            },
            "match_mapping_type": "string",
            "path_match": "event_data.*"
          }
        }

I deleted all the old winlogbeat indices -

curl -XDELETE 'http://localhost:9200/winlogbeat-*'

I added the new one that I modified, to overwrite the old one.

curl -XDELETE 'http://localhost:9200/winlogbeat-*'
curl -XPUT -H 'Content-Type: application/json' http://localhost:9200/_tem plate/winlogbeat -d@winlogbeat.template.json

...and voila.

Questions:

Why, even after running curl -XDELETE 'http://localhost:9200/winlogbeat-*'
are there still winlogbeat indexes in there from the last 3 days...
yellow open winlogbeat-2018.01.02 FcFuDnxrQBSs3FNOzxO9gQ 5 1 65529 0 72.6mb 72.6mb
yellow open winlogbeat-2018.01.03 W4Sk_zfqSlSp5L3yP_yAbg 5 1 89871 0 102.4mb 102.4mb
yellow open winlogbeat-2018.01.01 BulBR2ClQcqp3VOcVbXblg 5 1 12134 0 14mb 14mb
yellow open .kibana yPIY2NENSpOiseZ0JdrWwQ 1 1 17 9 80.1kb 80.1kb

Helpful Posts -
https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-getting-started.html

https://www.elastic.co/guide/en/elasticsearch/reference/current/multi-fields.html

https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-term-query.html

Helpful Console Commands -
#list templates to see if it's in there
GET _template

#searching for term in dev console will help by popping up suggestions -

GET /winlogbeat-2018.01.04/_search
{
  "query": {
    "term": {
      "event_data.CommandLine": "net"
      }
    }
  }

-- now gotta get this to work with powershell.scriptblock.text!

mathurin68 · January 16, 2018, 3:43pm

Spoke too soon... term works now but the keyword field is now empty...

andrewkroh · January 16, 2018, 7:24pm

Maybe it would make sense to officially change the event_data.CommandLine field to be a multi-field. I think most users would benefit from this change.

In Winlogbeat 6.x we generate the index templates for each specific ES version based on the data from fields.yml.

I think it would work we added another field to that field named event_data.CommandLine that uses config like the file.path in Auditbeat which is a multi-field. https://github.com/elastic/beats/blob/59f728a60239d5464575beef911b2ee9a9f2427e/auditbeat/module/file_integrity/_meta/fields.yml#L17-L25

The fields.yml file is shipped in the root of the zip download package for Winlogbeat 6.x. Once the file is updated you can test the changes by looking at the generated index template by using:

.\winlogbeat.exe export template --es.version=5.6.5

mathurin68 · January 16, 2018, 10:10pm

Hey @andrewkroh !!

That would definitely make things easier on me, and that's good to know about the fields.yml!

Thank you so much -

I cleaned it up and sort of re-asked it here, if I could close it I would...

I am definitely going to redo this using the fields.yml.

system · February 13, 2018, 10:10pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.