Hello i've some questions
i've an elastic stack with many beats on windows file servers, AD, Exchanges. all events are sended to logstash into differents pipelines.for AD on ports 5044 and 5043 for file server
I use 2 different pipelines because I want to know the disk space evolution of the file server events because for the moment I'm only testing a small part of the files.
but i can see some event pass through my filter like # event_id 4,634 and many oder or he should not match with any field in my filter
someone can explain that ?
and my oder question is when i'll try to create an index parten on kibana with winlogbeat-(fs)-6.5.4-2019.04.01 with this custom index pattern id winlogbeat-(fs)-* 56/5000
kibana create the index regardless of my indication for my custom pattern. with he do that ?
it's because i've write -(fs)- in my pipeline ?
sorry if the answers are obvious, I am a student and I still have a lot to learn about elastic.
Here my file config for my file server and AD
#------------------------------------filter for FS------------------------------ ------
# Removes ::ffff from IP address
filter {
if "winlogbeat" in [tags] {
mutate {
gsub => ["%{[event_data][IpAddress]}", "::ffff:", ""]
}
}
}
#acces to an object
filter {
if "winlogbeat" in [tags] and [log_name] == "Security" and [event_id] == 4656{
mutate {
remove_field => ["[message]"]
add_field => { "short_message" => "A handle to an object was requested" }
}
}
}
#A handle to an object was requested with intent to delete
filter {
if "winlogbeat" in [tags] and [log_name] == "Security" and [event_id] == 4659{
mutate {
remove_field => ["[message]"]
add_field => { "short_message" => "A handle to an object was requested with in tent to delete" }
}
}
}
#deleted object
filter {
if "winlogbeat" in [tags] and [log_name] == "Security" and [event_id] == 4660{
mutate {
remove_field => ["[message]"]
add_field => { "short_message" => "An object was deleted" }
}
}
}
#A handle to an object was requested
filter {
if "winlogbeat" in [tags] and [log_name] == "Security" and [event_id] == 4661{
mutate {
remove_field => ["[message]"]
add_field => { "short_message" => "A handle to an object was requested" }
}
}
}
#An attempt was made to access an object
filter {
if "winlogbeat" in [tags] and [log_name] == "Security" and [event_id] == 4663 {
mutate {
remove_field => ["[message]"]
add_field => { "short_message" => "An attempt was made to access an object" }
}
}
}
#Permissions on an object were changed
filter {
if "winlogbeat" in [tags] and [log_name] == "Security" and [event_id] == 4670 {
mutate {
remove_field => ["[message]"]
add_field => { "short_message" => "Permissions on an object were changed" }
}
}
}
#An operation was attempted on a privileged object
filter {
if "winlogbeat" in [tags] and [log_name] == "Security" and [event_id] == 4674 {
mutate {
remove_field => ["[message]"]
add_field => { "short_message" => "An operation was attempted on a privileged object" }
}
}
}
#An attempt was made to duplicate a handle to an object
filter {
if "winlogbeat" in [tags] and [log_name] == "Security" and [event_id] == 4690 {
mutate {
remove_field => ["[message]"]
add_field => { "short_message" => "An attempt was made to duplicate a handle t o an object" }
}
}
}
# Indirect access to an object was requested
filter {
if "winlogbeat" in [tags] and [log_name] == "Security" and [event_id] == 4691 {
mutate {
remove_field => ["[message]"]
add_field => { "short_message" => " Indirect access to an object was requested " }
}
}
}
#A network share object was checked to see whether client can be granted desired access
filter{
if "winlogbeat" in [tags] and [log_name] == "Security" and [event_id] = =5145{
mutate{
remove_field => ["[message]"]
add_field => {"short_message" => "A network share object was checked to see whether client can be granted desired access"}
}
}
}
######################### End of Active Directory Security Logs ################ ########
output {
elasticsearch {
hosts => ["ipaddresselastic:9200"]
manage_template => true
index => "%{[@metadata][beat]}-(fs)-%{[@metadata][version]}-%{+YYYY.MM.dd}"
user => "logstash_internal"
password => "******"
}
}