Created
June 29, 2017 16:25
-
-
Save deruke/093e9fa9b666aa211cfdce81921cb3ce to your computer and use it in GitHub Desktop.
winevent-logstash
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # capture windows events over JSON | |
| # expects to be sent by the NXLOG package | |
| # author: Joff Thyer, 2017 | |
| input { | |
| tcp { | |
| port => 3515 | |
| codec => json | |
| } | |
| } | |
| filter { | |
| # multiple conditions could occur with timestamps | |
| # (1) UtcTime field exists and is populated | |
| # (2) UtcTime is contained within "Message" field | |
| # (3) UtcTime field does not exist and is not in "Message" field | |
| if "Microsoft-Windows-Sysmon" in [SourceName] { | |
| grok { | |
| match => { | |
| "Message" => "^(?<SysmonEventType>[A-Za-z\s]+):\s" | |
| } | |
| } | |
| grok { | |
| match => { | |
| "Message" => | |
| "(?m)UtcTime:\s([0-9]{4}-[0-9]{2}-[0-9]{2}\s[0-9]{2}:[0-9]{2}:[0-9]{2}\.[0-9]{3})" | |
| } | |
| } | |
| } | |
| date { | |
| match => [ "UtcTime", "yyyy-MM-dd HH:mm:ss.SSS" ] | |
| timezone => "UTC" | |
| } | |
| if "_dateparsefailure" in [tags] { | |
| # worst possible time granuality result | |
| date { | |
| match => [ "EventTime", "yyyy-MM-dd HH:mm:ss" ] | |
| timezone => "America/New_York" | |
| } | |
| } | |
| #mutate { remove_tag => [ "_dateparsefailure" ] } | |
| #mutate { remove_tag => [ "_grokparsefailure" ] } | |
| } | |
| output { | |
| elasticsearch { | |
| hosts => [ "127.0.0.1:9200" ] | |
| index => "winevent-%{+YYYY.MM.dd}" | |
| } | |
| #stdout { codec => rubydebug } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment