I have a SIEM use case that require to do a search for After Office hour login and generate a 1 month report with this filter.
Any advice on how could i filter the hour from @timestamp (or any better approach?)
I got a successful way to do it by adding a new field named hourofday using painless with script below
doc['@timestamp'].date.hourofDay
However this might not be the approach my management would prefer as they are afraid that by adding field into the log might abuse the Integrity of logs.
Would appreciate if anyone could shed some lights on:
Is it possible to filter Hour of document so that i could generate a report for after office hour (assume office hour = 9AM to 6PM), and if yes, how could I achieve so?
Also, just a quick query, will the raw logs be modified when I uses painless script to add a field into documents? As we are not suppose to change anything to raw logs due to the C.I.A rules.
Using a script means that for every search hit of a query this script needs to be executed. If you have millions of hits, you will have millions of those executions, so think if there is another way of doing this to keep your queries fast
From what I read you might not need the hour of the day, you can just use a bunch of filters. If you search for the last 7 days, you would need five filters that exclude office hours, instead of checking for the hour of the day.
If you want to speed this up tremendously and you want to be able to really search for the hour of the day, you should rethink your strategy and perhaps just index the hour of the day as a dedicated field, as this will make it very easy to write a query.
to be honest I do not understand the question. Are you referring to the field, that stores the original message? Adding a new field will simply add some more data to each document that gets indexed, but not modify anything else.
Apologize for the confusion,
see below example for a better view
Architecture:
Window device > Beat to collect winlogs > output to ElasticSearch
Questions:
Will Elasticsearch store a copy of raw logs that was sent by winlogbeats (that are not modified nor parsed)?
For Adding new fields will add more data to each document that gets indexed, will adding a new field changes the Question 1's raw logs (eg: add a new line name hourofday=8 at the end of logs)?
The objective is to make sure that there will be a copy of log from Source devices that remained at its raw format as any enriched, or normalized logs will not able to pass the compliance.
Hence we are concern about adding a new field could change the raw logs.
Really appreciate your time and effort on assisting with my query!
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.