This repository has been archived by the owner on Nov 21, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 68
/
winlogbeat.yml
123 lines (117 loc) · 3.91 KB
/
winlogbeat.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
winlogbeat.event_logs:
######## Collect From Local Server/Device Itself ########
- name: Application
ignore_older: 72h
include_xml: true
- name: System
include_xml: true
- name: Security
include_xml: true
processors:
- script:
lang: javascript
id: security
file: ${path.home}/module/security/config/winlogbeat-security.js
- name: Microsoft-Windows-Sysmon/Operational
include_xml: true
processors:
- script:
lang: javascript
id: sysmon
file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js
- name: Windows PowerShell
#event_id: 400, 403, 600, 800
include_xml: true
processors:
- script:
lang: javascript
id: powershell
file: ${path.home}/module/powershell/config/winlogbeat-powershell.js
- name: Microsoft-Windows-PowerShell/Operational
#event_id: 4103, 4104, 4105, 4106
include_xml: true
processors:
- script:
lang: javascript
id: powershell
file: ${path.home}/module/powershell/config/winlogbeat-powershell.js
- name: Microsoft-Windows-WMI-Activity/Operational
event_id: 5857,5858,5859,5860,5861
include_xml: true
######## END Collect From Local Server/Device Itself ########
######## Collect From Forwarded Events ########
- name: ForwardedEvents
include_xml: true
forwarded: false
processors:
- script:
when.equals.winlog.channel: Security
lang: javascript
id: security
file: ${path.home}/module/security/config/winlogbeat-security.js
- script:
when.equals.winlog.channel: Microsoft-Windows-Sysmon/Operational
lang: javascript
id: sysmon
file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js
- script:
when.equals.winlog.channel: Windows PowerShell
lang: javascript
id: powershell
file: ${path.home}/module/powershell/config/winlogbeat-powershell.js
- script:
when.equals.winlog.channel: Microsoft-Windows-PowerShell/Operational
lang: javascript
id: powershell
file: ${path.home}/module/powershell/config/winlogbeat-powershell.js
######## END Collect From Forwarded Events ########
#================================ Processors =====================================
processors:
- community_id:
- registered_domain:
field: dns.question.name
target_field: dns.question.registered_domain
target_etld_field: dns.question.top_level_domain
target_subdomain_field: dns.question.sudomain
ignore_missing: true
ignore_failure: true
- registered_domain:
field: url.domain
target_field: url.registered_domain
target_etld_field: url.top_level_domain
target_subdomain_field: url.sudomain
ignore_missing: true
ignore_failure: true
- registered_domain:
field: destination.domain
target_field: destination.registered_domain
target_etld_field: destination.top_level_domain
target_subdomain_field: destination.sudomain
ignore_missing: true
ignore_failure: true
- add_fields:
target: "organization"
fields:
name: "<CompanyInit>"
- add_fields:
target: "labels"
fields:
beats_pipeline_version: "<beatspipever>"
#-------------------- Logstash output -------------------
output.logstash:
# The Logstash hosts
hosts: ["<LogstashIP>:<LogstashPort>"]
# SSL
ssl.enabled: true
ssl.verification_mode: "certificate"
ssl.certificate_authorities: [ 'C:\Program Files\winlogbeat\ca.crt' ]
# ================================== Logging ===================================
logging.level: info
logging.to_files: true
logging.files:
path: 'C:\Program Files\winlogbeat\logs\'
name: winlogbeat
keepfiles: 7
logging.files.rotateeverybytes: 10485760 # 10MB # Default
permissions: 0600
#logging.to_eventlog: false