SID field Mapping with Windows Active Directory Users


I have created one POC setup in ELK for analyzing EMC ISILON storage audit log. I forwarded the log through Syslog server and filebeat is sending the log to logstash. The ISILON was integrated with Windows AD so i am getting audit logs with windows AD users SID but I want to map the SID field with windows user name in ELK. I need help from anyone to fix this issue.

Thanks in Advance

There's no built-in filter for this, but if you can dump a text file mapping SIDs to username you can use the translate filter to look up the SID in each log event and store the username resulting from the lookup in another field. (You could write a custom filter to perform the lookup on the fly but that's obviously too much work for a proof of concept.)

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.