Hi I'm using winlogbeat and receive nice logs with a nice ISO8601 @timestamp in the received events (I used a logstash conf stdout to check them.)
"@timestamp" => 2023-06-15T14:44:20.273Z,
which I think logstash automatically takes as the timestamp?
Because theres also an event line:
"created" => "2023-06-15T14:44:21.303Z",
Here's what arrives and I see in Kibana:
"tags": [
"winlogbeat",
"beats_input_codec_plain_applied",
"_grokparsefailure",
"_dateparsefailure"
],
Here's my logstash conf for this:
input {
beats {
host => "0.0.0.0"
port => 5046
tags => "winlogbeat"
}
}
filter {
if [winlog][event_id] == "4625" or [winlog][event_id] == "4723" or [winlog][event_id] == "4724" or [winlog][channel] == "Microsoft-Windows-WMI-Activity/Operational" or [winlog][channel] == "Microsoft-Windows-PowerShell/Operational" {
# Add any transformations here
} else {
drop { }
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
index => "winlog-%{+YYYY.MM.dd}"
}
}
Here's what the event logs look like with the original dates:
{
"@version" => "1",
"winlog" => {
"api" => "wineventlog",
"keywords" => [
[0] "Audit Failure"
],
"channel" => "Security",
"opcode" => "Info",
"record_id" => 437346,
"process" => {
"thread" => {
"id" => 6353
},
"pid" => 4
},
"provider_guid" => "{4646464-5478-4994-a5ba-6546465465446ae}",
"event_data" => {
"PrivilegeList" => "SeProfileSingleProcessPrivilege",
"ObjectServer" => "Security",
"Service" => "-",
"SubjectUserSid" => "S-1-5-21-2362662624-123135234-2456245626-2310",
"SubjectDomainName" => "SUPERDOO",
"ProcessId" => "0x15d0",
"ProcessName" => "C:\\Program Files\\Adobe\\Adobe Creative Cloud\\ACC\\Creative Cloud.exe",
"SubjectLogonId" => "0x10479bd9",
"SubjectUserName" => "byute"
},
"computer_name" => "box.boxesofboxes.icu",
"provider_name" => "Microsoft-Windows-Security-Auditing",
"task" => "Sensitive Privilege Use",
"event_id" => "4673"
},
"log" => {
"level" => "information"
},
"agent" => {
"id" => "42e866f3-77cc-4322-55aa-26235236",
"name" => "box",
"type" => "winlogbeat",
"ephemeral_id" => "bfaab648-0f87-3244-abcd-2346326236",
"version" => "8.8.1"
},
"ecs" => {
"version" => "8.0.0"
},
"@timestamp" => 2023-06-15T14:44:20.273Z,
"event" => {
"provider" => "Microsoft-Windows-Security-Auditing",
"outcome" => "failure",
"created" => "2023-06-15T14:44:21.303Z",
"action" => "Sensitive Privilege Use",
"kind" => "event",