Winlogbeat配置收集Windows事件安全日志

收集安全日志,删除TargetUserName为计算机名称的事件

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: AD1901
fields.gl2_source_collector: 1d7f1a6b-3498-42dc-99ac-b898ad88cb88

output.logstash:
   hosts: ["10.10.20.7:5044"]
path:
  data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
  logs: C:\Program Files\Graylog\sidecar\logs
tags:
 - windows
winlogbeat:
  event_logs:
    - name: Security
      ignore_older: 24h
      processors:
        - drop_event:
            when:
                regexp:
                    winlog.event_data.TargetUserName: '.*\$'

 

收集安全日志,删除TargetUserName为计算机名称的、名为HealthMailbox开头、名为SYSTEM的事件

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}

output.logstash:
   hosts: ["10.10.20.7:5044"]
path:
  data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
  logs: C:\Program Files\Graylog\sidecar\logs
tags:
 - windows
winlogbeat:
  event_logs:
    - name: Security
      ignore_older: 24h
      processors:
        - drop_event:
            when:
              or:
                - regexp:
                    winlog.event_data.TargetUserName: '.*\$'     #此为过滤掉计算机名
                - regexp:
                    winlog.event_data.TargetUserName: 'HealthMailbox*'
                - equals:
                    winlog.event_data.TargetUserName: 'SYSTEM'

 

以下参考:

fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}

output.logstash:
  hosts: ["graylog:5044"]

winlogbeat.event_logs:
  - name: Application
    level: critical, error, warning
    ignore_older: 48h
  - name: Security
    processors:
        - drop_event.when.not.or:
            - equals.event_id: 129
            - equals.event_id: 141
            - equals.event_id: 1102
            - equals.event_id: 4648
            - equals.event_id: 4657
            - equals.event_id: 4688
            - equals.event_id: 4697
            - equals.event_id: 4698
            - equals.event_id: 4720
            - equals.event_id: 4738
            - equals.event_id: 4767
            - equals.event_id: 4728
            - equals.event_id: 4732
            - equals.event_id: 4634
            - equals.event_id: 4735
            - equals.event_id: 4740
            - equals.event_id: 4756
    level: critical, error, warning, information
    ignore_older: 48h
  - name: System
    processors:
        - drop_event.when.not.or:
            - equals.event_id: 129
            - equals.event_id: 1022
            - equals.event_id: 1033
            - equals.event_id: 1034
            - equals.event_id: 4624
            - equals.event_id: 4625
            - equals.event_id: 4633
            - equals.event_id: 4719
            - equals.event_id: 4738
            - equals.event_id: 7000
            - equals.event_id: 7022
            - equals.event_id: 7024
            - equals.event_id: 7031
            - equals.event_id: 7034-7036
            - equals.event_id: 7040
            - equals.event_id: 7045
    level: critical, error, warning
    ignore_older: 48h

 

winlogbeat:
  event_logs:
   - name: Application
     level: critical, error, warning
     ignore_older: 72h
   - name: System
     level: critical, error, warning
   - name: Security
     processors:
        - drop_event.when:
            - contains.winlogbeat_winlog_event_data_SubjectUserName: ${sidecar.nodeName}
     level: critical, error, warning, information


   - name: Security
     processors:
       - drop_event.when:
           and:
             - equals.winlog.event_id: "7234"
             - equals.winlog.event_data.TargetUserName: "user-admin-batman"
             - regexp.winlog.event_data.ProcessName: 'university\.checkhash\.exe$'
processors:
- drop_event.when.or:
  - and:
    - equals.winlog.event_id: 4624
    - equals.winlog.event_data.TargetUserName: 'SYSTEM'
  - and:
    - equals.winlog.event_id: 4672
    - or:
      - equals.winlog.event_data.SubjectUserName: 'LOCAL SERVICE'
      - regexp.winlog.event_data.SubjectUserSid: '^S-1-5-21.*'
      - equals.winlog.event_data.SubjectUserSid: 'S-1-5-20'
      - equals.winlog.event_data.SubjectUserSid: 'S-1-5-19'
  - and:
    - equals.winlog.event_id: 9999
    - or:
      - equals.winlog.event_data.SubjectUserName: 'LOCAL SERVICE'
      - regexp.winlog.event_data.SubjectUserSid: '^S-1-5-21.*'
      - equals.winlog.event_data.SubjectUserSid: 'S-1-5-20'
      - equals.winlog.event_data.SubjectUserSid: 'S-1-5-19'

 

posted on 2024-04-09 11:16  momingliu11  阅读(237)  评论(0编辑  收藏  举报

Powered by: 博客园 Copyright © 2024 momingliu11
Powered by .NET 9.0 on Kubernetes