Skip to content
This repository has been archived by the owner on Jul 27, 2022. It is now read-only.

elastic/logstash-filter-decode_wazuh

 
 

Repository files navigation

Logstash Image

Decode XML Windows Events (Logstash Plugin)

This is a plugin for Logstash.

It is fully free and fully open source. The license is Apache 2.0, meaning you are pretty much free to use it however you want in whatever way.

Documentation

This plugin will decode Windows Events that are formatted as XML. The output of the filter will conform to the Elastic Common Schema.

The plugin only takes one parameter: field. This points to the field in the Logstash event that contains the Windows Event

e.g.

input {
###
}

filter {
  decode_xml_winevents {
    field => "xmlstring"
  }
}

output {
  stdout { }
}

IMPORTANT: Since the output will conform to ECS the message field in the Logstash event is copied to event.original and the original Windows Event message is located in winlog.message.

  • Download plugin
wget https://github.com/codingogre/logstash-filter-decode_xml_winevents/blob/main/logstash-filter-decode_xml_winevents-1.0.0.gem
  • Install plugin
# Logstash 2.3 and higher
cd to where logstash is installed
bin/logstash-plugin install --no-verify /path/to/logstash-filter-decode_xml_winevents-1.0.0.gem
  • Restart Logstash
systemctl restart logstash.service # or whatever system initialization your OS uses
  • Test filter in Logstash pipeline
export LOGSTASH_HOME=#whereever you installed Logstash
export FILTER_HOME=#whereever the git repo is

cp $FILTER_HOME/samples/windows_event.xml /tmp && $LOGSTASH_HOME/bin/logstash -f $FILTER_HOME/samples/logstash-sample.conf
  • Test filter with field configuration in Logstash pipeline
export LOGSTASH_HOME=#whereever you installed Logstash
export FILTER_HOME=#whereever the git repo is

cp $FILTER_HOME/samples/windows_event_field.xml /tmp && $LOGSTASH_HOME/bin/logstash -f $FILTER_HOME/samples/logstash-sample-field.conf

About

No description, website, or topics provided.

Resources

License

Security policy

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Ruby 100.0%