Need help retrieving username and/or computer name into Kibana using Winlogbeat

BMV · April 7, 2017, 9:36am

Hi Elastic community,

I have just started using Elastic with Kibana on the front end and Winlogbeat.

I am currently working on a project for work that revolves around analysing the Windows event log files of around 100 virtualised servers. My task is to identify when the administrator credentials have been used to RDP into these servers and indicate who is making this connection.

Despite having most of the data I need within Kibana, I am not able to retrieve possibly the most important information needed, which is either the username and/or computer name of where the connection to the servers is occurring. The computer name and workstation index fields only provide the server side information, not of the person or computer RDPing into the servers.

I am using event_data.IpAddress to retrieve the IP address of the connection, so I was wondering if there is a way to do a nslookup of this address within Kibana and display it under a custom index field? I have a powershell script that does this nslookup but Kibana only allows for Painless or Expression code to be written. My scripting skill is next to none.

Can anyone please give me some advice how I would be able to display either the username and/or the computer name of the remote client trying to connect to these servers?

Thank you for your time. Needing help ASAP!

bhavyarm · April 7, 2017, 2:53pm

Hi,

Kibana can't do this directly. But we have this plugin in Logstash: https://www.elastic.co/guide/en/logstash/current/plugins-filters-dns.html.

You will have to do winglobeat->logstash(filter)->ES->Kibana. Can you give it a try?

Thanks,
Bhavya

BMV · April 11, 2017, 10:28am

Hi bhavyarm,

Thank you for your reply. I have attempted to install the DNS filter plugin and have failed miserably. The Elasticsearch server is offline and even when attempting to install the plugin offline using the gem file as written in the documentation, it continuously tries to connect online and refuses this connection. After doing some research, this was a bug that many were experiencing in earlier versions. I am currently running 5.2.2 of ES, Kibana, etc. I will continue to work on it but any advice you may have would be appreciated.

Also, the final line in your reply suggests that Winlogbeat needs to go through Logstash (filter) before it gets to ES and I'm able to see it in Kibana. Does this mean the DNS information I am after will be displayed as a new Winlogbeat field or will it be a Logstashbeat field? At the moment, Winlogbeat is the only index pattern I am using in Kibana.

Sorry for the questions, but I have just started using ES and Kibana and still learning my way around the system and how it works.

Many thanks

BMV

system · May 9, 2017, 10:36am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.