andrewkroh · November 1, 2023 01:17
diff --git a/filebeat.filestream-evtx_dump.yml b/filebeat.filestream-evtx_dump.yml
 ---

 filebeat.inputs:
  # Consume output from
  #  evtx_dump --dont-show-record-number -o xml <file.evtx> > /tmp/samples/file.evtx.xml
  # See https://github.com/omerbenamram/evtx.
  - type: filestream
    id: evtx_dump_xml
    parsers:
      - multiline:
          type: pattern
          pattern: '^<\?xml version='
          negate: true
          match: after
    paths:
      - /tmp/samples/*.evtx.xml
    publisher_pipeline.disable_host: true
    processors:
      - rename:
          fields:
            - from: message
              to: event.original
      - decode_xml_wineventlog:
          field: event.original
          target_field: winlog
      - convert:
          mode: copy
          fields:
            - from: winlog.time_created
              to: '@timestamp'
      - script:
          lang: javascript
          id: lowercase_host_name
          source: |
            function process(evt) {
              evt.Put("host.name", evt.Get("host.name").toLowerCase());
            }

 processors:
  - drop_fields:
      ignore_missing: true
      fields:
        - agent
        - ecs
        - input
        - log.file.device_id
        - log.file.inode
        - log.flags



 output.elasticsearch:
  hosts: ["localhost:9200"]

  # Pipeline to route events to security, sysmon, or powershell pipelines.
  # Install pipelines once using Winlogbeat.
  # https://www.elastic.co/guide/en/beats/winlogbeat/current/load-ingest-pipelines.html#winlogbeat-load-pipeline-manual
  pipeline: "winlogbeat-8.10.4-routing"
  
  # Setup the winlogbeat data stream using Winlogbeat.
  index: "winlogbeat-8.10.4"
	---

	filebeat.inputs:
	# Consume output from
	# evtx_dump --dont-show-record-number -o xml <file.evtx> > /tmp/samples/file.evtx.xml
	# See https://github.com/omerbenamram/evtx.
	- type: filestream
	id: evtx_dump_xml
	parsers:
	- multiline:
	type: pattern
	pattern: '^<\?xml version='
	negate: true
	match: after
	paths:
	- /tmp/samples/*.evtx.xml
	publisher_pipeline.disable_host: true
	processors:
	- rename:
	fields:
	- from: message
	to: event.original
	- decode_xml_wineventlog:
	field: event.original
	target_field: winlog
	- convert:
	mode: copy
	fields:
	- from: winlog.time_created
	to: '@timestamp'
	- script:
	lang: javascript
	id: lowercase_host_name
	source: \|
	function process(evt) {
	evt.Put("host.name", evt.Get("host.name").toLowerCase());
	}

	processors:
	- drop_fields:
	ignore_missing: true
	fields:
	- agent
	- ecs
	- input
	- log.file.device_id
	- log.file.inode
	- log.flags



	output.elasticsearch:
	hosts: ["localhost:9200"]

	# Pipeline to route events to security, sysmon, or powershell pipelines.
	# Install pipelines once using Winlogbeat.
	# https://www.elastic.co/guide/en/beats/winlogbeat/current/load-ingest-pipelines.html#winlogbeat-load-pipeline-manual
	pipeline: "winlogbeat-8.10.4-routing"

	# Setup the winlogbeat data stream using Winlogbeat.
	index: "winlogbeat-8.10.4"