0

I'm looking at aggregating data within the whole ELK stack (Elasticsearch/Logstash/Kibana) and I'm getting lots of good data from my windows systems. It's working very well, but when i get Windows Security Events, I would like to correlate windows event IDs to human readable events. (e.g. Event ID 4990 = User opens file, 4658 = User closes file)

I'm also looking to have multiple filters, kinda like a pivot table, where i can show which files encountered which Event IDs, grouped by user, and file. I'm thinking it could look something like the following:

  • User1
    • file1
      • Event1 (human readable event name)| message | time
    • file2
      • Event2 | message | time
      • Event3 | message | time
  • User2
    • file3
      • Event4 | message | time

Do any of you know how to do this, or know of resources where i can accomplish this myself?

It's frustrating because i have all of the data, but can't seem to make it look like what i want.

Steve Butler
  • 1,016
  • 9
  • 19

2 Answers2

0

Ultimately for the most part these two features I've just learned to live without. Generally the data gets parsed down pretty well from filters, and fortunately Windows event logs already provide decent details of the event, so I just have learned to live with just digging into the message to get the information.

Steve Butler
  • 1,016
  • 9
  • 19
0

To replace a given word or pattern with another given word or pattern you can use the translate dictionary function. I'm not really clear what you're asking for in the second part of your question, if you could clarify it might be easier to answer.

Community
  • 1
Rumbles
  • 994
  • 1
  • 12
  • 28