Winlogbeat logs filtering in Logstash for storage management and relevant info to elastic

Rojal_Paul · August 23, 2021, 12:06pm

I want to know the problem with my configuration.
I want to reduce the windows logs saved in Logstash by sending relevant info such as warnings, errors. For now, it's taking a huge amount of data for storing all windows logs. When I am using "type" I am getting error which "could not index events to Elasticsearch". I am attching my json file also.
ThanksProcessing: json.txt...

Badger · August 23, 2021, 3:30pm

Please do not post pictures of text, they cannot be searched and are not readable for people who use text-to-speech. Just post the text.

Badger · August 24, 2021, 2:08pm

Please edit your post, select the configuration, and click on </> in the toolbar above the edit pane. Then do the same for the data. That will change the appearance from

input {
beats {
host => "192.168.15.151"
port => "5033"

to

input {
    beats {
        host => "192.168.15.151"
        port => "5033"

etc.

Rojal_Paul · August 25, 2021, 9:25am

I am putting the configuration file for my pipeline here.

input {
beats {
host => "192.168.15.151"
port => "5033"
ssl => true
ssl_certificate => "/etc/logstash/sslCertificate/logstash-remote.crt"
ssl_key => "/etc/logstash/sslCertificate/logstash-remote.key"

type => "winlogevent"
codec => "json"
}
}

filter {

grok {
match => { "message" => "%{COMBINEDAPACHELOG}"}
#}

#if [type] == "_doc" and [Severity] == "error"{
#mutate {
#add_tag => "error"
#}
#}

Drop informational events
if [type] == "eventlog" and [Severity] == "WARNING" {
drop { }
}
Drop warning events
if [type] == "eventlog" and [Severity] == "INFO" {
drop { }
}
}

output {
#if "error" in [tags]{
elasticsearch {
hosts => "https://192.168.15.153:9200"
index => "winlogbeat-logstash"
user => "elastic"
password => "el@stic"
cacert => "/etc/logstash/newfile.crt.pem"
ssl => true
ssl_certificate_verification => false
}
#}
}

And my json file also

{
"_index": "winlogbeat-logstash",
"_type": "_doc",
"_id": "4M9xcnsBCY2IxqY0vsaP",
"_version": 1,
"_score": null,
"fields": {
"agent.version.keyword": [
"7.13.2"
],
"event.category": [
"process"
],
"host.name.keyword": [
"SSLAB-PSF-CXDC1.SSLAB-PSF.local"
],
"host.hostname": [
"SSLAB-PSF-CXDC1"
],
"host.mac": [
"00:50:56:9b:15:1c"
],
"winlog.process.pid": [
14732
],
"host.os.version": [
"10.0"
],
"agent.name": [
"SSLAB-PSF-CXDC1"
],
"file.directory.keyword": [
"C:\Program Files\Citrix\ConfigSync"
],
"user.id": [
"S-1-5-20"
],
"host.os.type": [
"windows"
],
"agent.id.keyword": [
"5614b39f-b6cb-4ef6-9dd9-bdca3b4cc1cc"
],
"agent.hostname": [
"SSLAB-PSF-CXDC1"
],
"file.path.keyword": [
"C:\Program Files\Citrix\ConfigSync\ConfigSync.ps1"
],
"powershell.sequence": [
1
],
"tags": [
"beats_input_codec_plain_applied"
],
"host.architecture": [
"x86_64"
],
"event.provider": [
"Microsoft-Windows-PowerShell"
],
"event.code": [
"4104"
],
"agent.id": [
"5614b39f-b6cb-4ef6-9dd9-bdca3b4cc1cc"
],
"winlog.provider_name.keyword": [
"Microsoft-Windows-PowerShell"
],
"winlog.user.domain.keyword": [
"NT AUTHORITY"
],
"powershell.total": [
5
],
"winlog.process.thread.id": [
15672
],
"winlog.api.keyword": [
"wineventlog"
],
"tags.keyword": [
"beats_input_codec_plain_applied"
],
"host.ip": [
"192.168.15.107"
],
"agent.type": [
"winlogbeat"
],
"event.type.keyword": [
"info"
],
"host.os.kernel.keyword": [
"10.0.17763.2114 (WinBuild.160101.0800)"
],
"file.extension.keyword": [
"ps1"
],
"winlog.api": [
"wineventlog"
],
"winlog.user.identifier.keyword": [
"S-1-5-20"
],
"winlog.user.type.keyword": [
"Well Known Group"
],
"event.provider.keyword": [
"Microsoft-Windows-PowerShell"
],
"host.id": [
"ff820ffd-67df-4b03-a7b6-4083ffcf5fd1"
],
"agent.type.keyword": [
"winlogbeat"
],
"agent.ephemeral_id.keyword": [
"a76c1e2b-30b5-4176-a57e-f604ebde1edd"
],
"file.directory": [
"C:\Program Files\Citrix\ConfigSync"
],
"agent.name.keyword": [
"SSLAB-PSF-CXDC1"
],
"file.name": [
"ConfigSync.ps1"
],
"winlog.user.name": [
"NETWORK SERVICE"
],
"event.action": [
"Execute a Remote Command"
],
"@timestamp": [
"2021-08-23T09:56:38.518Z"
],
"winlog.channel": [
"Microsoft-Windows-PowerShell/Operational"
],
"host.os.platform": [
"windows"
],
"winlog.user.name.keyword": [
"NETWORK SERVICE"
],
"winlog.opcode": [
"On create calls"
],
"agent.ephemeral_id": [
"a76c1e2b-30b5-4176-a57e-f604ebde1edd"
],
"winlog.event_id.keyword": [
"4104"
],
"file.path": [
"C:\Program Files\Citrix\ConfigSync\ConfigSync.ps1"
],
"host.architecture.keyword": [
"x86_64"
],
"event.category.keyword": [
"process"
],
"winlog.provider_name": [
"Microsoft-Windows-PowerShell"
],
"winlog.provider_guid": [
"{a0c1853b-5c40-4b15-8766-3cf1c58f985a}"
],
"host.os.build.keyword": [
"17763.2114"
],
"event.code.keyword": [
"4104"
],
"winlog.computer_name": [
"SSLAB-PSF-CXDC1.SSLAB-PSF.local"
],
"user.id.keyword": [
"S-1-5-20"
],
"agent.hostname.keyword": [
"SSLAB-PSF-CXDC1"
],
"host.ip.keyword": [
"192.168.15.107"
],
"ecs.version.keyword": [
"1.9.0"
],
"winlog.record_id": [
810877
],
"host.os.name": [
"Windows Server 2019 Standard"
],
"event.kind.keyword": [
"event"
],
"log.level": [
"warning"
],
"event.action.keyword": [
"Execute a Remote Command"
],
"host.id.keyword": [
"ff820ffd-67df-4b03-a7b6-4083ffcf5fd1"
],
"host.name": [
"SSLAB-PSF-CXDC1.SSLAB-PSF.local"
],
"host.os.version.keyword": [
"10.0"
],
"event.kind": [
"event"
],

system · September 22, 2021, 9:26am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.