Last active
August 11, 2016 20:06
-
-
Save haf/8378818 to your computer and use it in GitHub Desktop.
Windows EventLog logstash config
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # filter handled by puppet | |
| filter { | |
| # actually EventTime matches: \d{4}\-\d{2}-\d{2} \d{2}\:\d{2}\:\d{2} | |
| if [type] == "eventlog" | |
| and [EventTime] =~ ".*" | |
| and [Message] !~ "Session_Citrix Xen" { | |
| mutate { | |
| # Lowercase some values that are always in uppercase | |
| lowercase => [ "EventType", "FileName", "Hostname", "Severity" ] | |
| } | |
| date { | |
| # Convert timestamp from integer in UTC | |
| # match => [ "EventReceivedTime", "ISO8601" ] | |
| match => [ "EventTime", "YYYY-MM-dd HH:mm:ss" ] | |
| } | |
| mutate { | |
| rename => [ "AccountName", "[eventlog][user]" ] | |
| rename => [ "AccountType", "[eventlog][account_type]" ] | |
| rename => [ "ActivityID", "[eventlog][activity_id]" ] | |
| rename => [ "AdapterName", "[eventlog][dns][adapter_name]" ] | |
| rename => [ "AdapterSuffixName","[eventlog][dns][adapter_suffix_name]" ] | |
| rename => [ "Address", "ip6" ] | |
| rename => [ "ApplicationPath", "[eventlog][application_path]" ] | |
| rename => [ "AuthenticationPackageName", "[eventlog][authentication_package_name]" ] | |
| rename => [ "Category", "[eventlog][category]" ] | |
| rename => [ "Channel", "[eventlog][channel]" ] | |
| rename => [ "ConnType", "[eventlog][conn_type]" ] | |
| rename => [ "ClientIP", "[eventlog][client_ip]" ] | |
| rename => [ "DnsServerList", "[eventlog][dns][dns_server_list]" ] | |
| rename => [ "Domain", "domain" ] | |
| rename => [ "EventID", "[eventlog][event_id]" ] | |
| rename => [ "EventType", "[eventlog][event_type]" ] | |
| rename => [ "File", "[eventlog][file_path]" ] | |
| rename => [ "Guid", "[eventlog][guid]" ] | |
| rename => [ "Hostname", "hostname" ] | |
| rename => [ "hResult", "[eventlog][hresult]" ] | |
| rename => [ "Interface", "[eventlog][interface]" ] | |
| rename => [ "InterfaceGuid", "[eventlog][interface_guid]" ] | |
| rename => [ "InterfaceName", "[eventlog][interface_name]" ] | |
| rename => [ "IpAddress", "ip" ] | |
| rename => [ "Ipaddress", "[eventlog][dns][ip_address]" ] | |
| rename => [ "IpPort", "port" ] | |
| rename => [ "Key", "[eventlog][key]" ] | |
| rename => [ "LogonGuid", "[eventlog][logon_guid]" ] | |
| rename => [ "Message", "message" ] | |
| rename => [ "ModifyingUser", "[eventlog][modifying_user]" ] | |
| rename => [ "NewProfile", "[eventlog][new_profile]" ] | |
| rename => [ "OldProfile", "[eventlog][old_profile]" ] | |
| rename => [ "Opcode", "[eventlog][opcode]" ] # http://msdn.microsoft.com/en-us/library/windows/desktop/dd996918%28v=vs.85%29.aspx | |
| rename => [ "OpcodeValue", "[eventlog][opcode_value]" ] | |
| rename => [ "param1", "[eventlog][param1]" ] | |
| rename => [ "param2", "[eventlog][param2]" ] | |
| rename => [ "Port", "port" ] | |
| rename => [ "PrivilegeList", "[eventlog][privilege_list]" ] | |
| rename => [ "ProcessID", "[eventlog][process_id]" ] | |
| rename => [ "ProcessName", "[eventlog][process_name" ] | |
| rename => [ "ProviderGuid", "[eventlog][provider_guid]" ] | |
| rename => [ "ReasonCode", "[eventlog][reason_code]" ] | |
| rename => [ "RecordNumber", "[eventlog][record_number]" ] | |
| rename => [ "roleId", "[eventlog][role_id]" ] | |
| rename => [ "ScenarioId", "[eventlog][scenario_id]" ] | |
| rename => [ "Severity", "level" ] | |
| rename => [ "SeverityValue", "[eventlog][severity_code]" ] | |
| rename => [ "SourceModuleName", "nxlog_input" ] | |
| rename => [ "SourceName", "[eventlog][program]" ] | |
| rename => [ "SubjectDomainName", "[eventlog][subject_domain_name]" ] | |
| rename => [ "SubjectLogonId", "[eventlog][subject_logonid]" ] | |
| rename => [ "SubjectUserName", "[eventlog][subject_user_name]" ] | |
| rename => [ "SubjectUserSid", "[eventlog][subject_user_sid]" ] | |
| rename => [ "System", "[eventlog][system]" ] | |
| rename => [ "TargetDomainName", "[eventlog][target_domain_name]" ] | |
| rename => [ "TargetLogonId", "[eventlog][target_logonid]" ] | |
| rename => [ "TargetUserName", "[eventlog][target_user_name]" ] | |
| rename => [ "TargetUserSid", "[eventlog][target_user_sid]" ] | |
| rename => [ "TotalXPaths" , "[eventlog][total_xpaths]" ] | |
| rename => [ "ThreadID", "thread" ] | |
| } | |
| mutate { | |
| # Remove redundant fields | |
| remove_field => [ | |
| "CurrentOrNextState", | |
| "Description", | |
| "EventReceivedTime", | |
| "EventTime", | |
| "EventTimeWritten", | |
| "IPVersion", | |
| "KeyLength", | |
| "Keywords", | |
| "LmPackageName", | |
| "LogonProcessName", | |
| "LogonType", | |
| "Name", | |
| "PolicyProcessingMode", | |
| "Protocol", | |
| "ProtocolType", | |
| "SourceModuleType", | |
| "State", | |
| "Task", | |
| "TransmittedServices", | |
| "Type", | |
| "UserID", | |
| "Version", | |
| "serverName" | |
| ] | |
| } | |
| # clean out the host name: | |
| mutate { | |
| lowercase => [ "hostname" ] | |
| gsub => [ "hostname", "\.[^\.]+\.dev\.intelliplan\.net", "" ] | |
| } | |
| } | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| input { | |
| tcp { | |
| codec => "json" | |
| host => "0.0.0.0" | |
| port => 1935 | |
| tags => ['windows', 'eventlog'] | |
| type => "eventlog" | |
| } | |
| } |
Author
haf
commented
Jan 13, 2014
haf, did you find a solution that works. l am using basically the same nxlog config on my windows servers as you but I am having problems formatting the incoming logs. I dont think the json codec exists anymore, or at least its deprecated.
did you get eventlog working?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment