-
Notifications
You must be signed in to change notification settings - Fork 4
/
0420-logstash-windows-wef.conf
53 lines (49 loc) · 1.98 KB
/
0420-logstash-windows-wef.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
filter {
if [type] == "windows-wef" {
json {
source => "message"
tag_on_failure => "_jsonparsefailure"
}
mutate {
# Base
add_field => {
# Since it may be possible for windows time to be changed many hours, days, weeks, months, or years in the past to avoid time based monitoring (ie:in in a SIEM where looking for last 48 hours for suspicious events or etc) lets use the timestamp that the event was received.. This will also allow us to not to have to worry about converting certain sites that are not UTC and different time zones all over back to UTC too.
"[@meta][log][timestamp]" => "%{@timestamp}"
"[@meta][log][type]" => "windows-wef"
"[@meta][event_type]" => "endpoint"
"[@meta][log][host_ip]" => "%{[@meta][log][host_name]}"
}
# Remove NXLog fields
# Remove other windows field we do not want
remove_field => [
"port",
"SourceModuleType",
"type",
"message",
"SourceModuleName",
"SeverityValue",
"SourceName",
"Keywords",
"OpcodeValue",
"ProviderGuid",
"SeverityValue",
"Version"
]
# Rename some base fields
rename => {
"Hostname" => "[@meta][log][host_name]"
"RecordNumber" => "[win][log][record_num]"
"EventType" => "[win][log][type]"
"Opcode" => "[win][log][opcode]"
"host" => "[@meta][log][forwarder]"
"Severity" => "[@meta][log][level]"
}
lowercase => [
"[@meta][log][host_name]",
"[win][log][type]",
"[win][log][opcode]",
"[@meta][log][level]"
]
}
}
}