Question about my 2 pipelines

Hello i've some questions

i've an elastic stack with many beats on windows file servers, AD, Exchanges. all events are sended to logstash into differents pipelines.for AD on ports 5044 and 5043 for file server

I use 2 different pipelines because I want to know the disk space evolution of the file server events because for the moment I'm only testing a small part of the files.

but i can see some event pass through my filter like # event_id 4,634 and many oder or he should not match with any field in my filter

someone can explain that ?

and my oder question is when i'll try to create an index parten on kibana with winlogbeat-(fs)-6.5.4-2019.04.01 with this custom index pattern id winlogbeat-(fs)-* 56/5000

kibana create the index regardless of my indication for my custom pattern. with he do that ?
it's because i've write -(fs)- in my pipeline ?

sorry if the answers are obvious, I am a student and I still have a lot to learn about elastic.

Here my file config for my file server and AD

  #------------------------------------filter for FS------------------------------                                                                                                        ------
    # Removes ::ffff from IP address
    filter {
      if "winlogbeat" in [tags] {
      mutate {
        gsub => ["%{[event_data][IpAddress]}", "::ffff:", ""]
             }
            }
                       }

    #acces to an object
    filter {
      if "winlogbeat" in [tags] and [log_name] == "Security" and [event_id] == 4656{
       mutate {
       remove_field => ["[message]"]
       add_field => { "short_message" => "A handle to an object was requested" }
              }
            }
          }

    #A handle to an object was requested with intent to delete
    filter {
      if "winlogbeat" in [tags] and [log_name] == "Security" and [event_id] == 4659{
      mutate {
      remove_field => ["[message]"]
      add_field => { "short_message" => "A handle to an object was requested with in                                                                                                        tent to delete" }
              }
            }
          }

    #deleted object
    filter {
      if "winlogbeat" in [tags] and [log_name] == "Security" and [event_id] == 4660{
       mutate {
       remove_field => ["[message]"]
       add_field => { "short_message" => "An object was deleted" }
              }
            }
          }
    #A handle to an object was requested
    filter {
      if "winlogbeat" in [tags] and [log_name] == "Security" and [event_id] == 4661{
      mutate {
      remove_field => ["[message]"]
      add_field => { "short_message" => "A handle to an object was requested" }
            }
          }
        }

    #An attempt was made to access an object
    filter {
      if "winlogbeat" in [tags] and [log_name] == "Security" and [event_id] == 4663                                                                                                         {
       mutate {
       remove_field => ["[message]"]
       add_field => { "short_message" => "An attempt was made to access an object" }
              }
            }
          }

    #Permissions on an object were changed
    filter {
      if "winlogbeat" in [tags] and [log_name] == "Security" and [event_id] == 4670                                                                                                         {
       mutate {
       remove_field => ["[message]"]
       add_field => { "short_message" => "Permissions on an object were changed" }
              }
            }
          }

    #An operation was attempted on a privileged object
    filter {
      if "winlogbeat" in [tags] and [log_name] == "Security" and [event_id] == 4674                                                                                                          {
      mutate {
      remove_field => ["[message]"]
      add_field => { "short_message" => "An operation was attempted on a privileged                                                                                                         object" }
              }
            }
          }

    #An attempt was made to duplicate a handle to an object
     filter {
      if "winlogbeat" in [tags] and [log_name] == "Security" and [event_id] == 4690                                                                                                          {
      mutate {
      remove_field => ["[message]"]
      add_field => { "short_message" => "An attempt was made to duplicate a handle t                                                                                                        o an object" }
              }
            }
          }

    # Indirect access to an object was requested
     filter {
      if "winlogbeat" in [tags] and [log_name] == "Security" and [event_id] == 4691                                                                                                          {
      mutate {
      remove_field => ["[message]"]
      add_field => { "short_message" => " Indirect access to an object was requested                                                                                                        " }
              }
            }
          }
    #A network share object was checked to see whether client can be granted desired                                                                                                         access
            filter{
             if "winlogbeat" in [tags] and [log_name] == "Security" and [event_id] =                                                                                                        =5145{
             mutate{
             remove_field => ["[message]"]
             add_field => {"short_message" => "A network share object was checked to                                                                                                         see whether client can be granted desired access"}
              }
             }
            }

    ######################### End of Active Directory Security Logs ################                                                                                                        ########

    output {
      elasticsearch {
        hosts => ["ipaddresselastic:9200"]
        manage_template => true
        index => "%{[@metadata][beat]}-(fs)-%{[@metadata][version]}-%{+YYYY.MM.dd}"
            user => "logstash_internal"
            password => "******"
      }
    }

here my filters for AD

now i can't see any event from my AD in discover section but i can view new event in my dashboard account locked for exemple. i'm a little bit lost

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.