Subscribe
Notify of
guest
17 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Cesare
Cesare
6 years ago

Hello Pablo,
very nice works, I’ll try to take some of your suggestions.
I was testing your config and I just want to advise you that you forgot a “}” to close the else if:
else if [event_data][LogonType] == “9” {
mutate {
add_field => { “Method” => “NewCredentials” }
}

thanks again,
Cesare

Francesco Ferrari
Francesco Ferrari
6 years ago

Pablo, you would mind to share your config files? I´ve tried to make it work but far from it.

Thanks for your attention.

Franthesco Ferrari
Franthesco Ferrari
6 years ago
Reply to  Pablo Delgado

Hi Pablo, I finally got to work 🙂
Would you mind to share your dashboard files?!
Thanks

Sana
Sana
5 years ago
Reply to  Pablo Delgado

I am unable to make two indexes using your logstash conf, one for windows and one for security , I am using logstash 7.3 , Please help me out for this

Atif M Baig
Atif M Baig
5 years ago

Can you please share the config files ?

Atif M Baig
Atif M Baig
5 years ago
Reply to  Pablo Delgado

I am running all ELK stack on one Ubuntu server. I am looking for logstack files and elasticstach, filebeat.yml files.

Atif Baig
Atif Baig
5 years ago
Reply to  Atif M Baig

I am using winlogbeats on my windows servers to send the logs to lagstash output. I am using 02-beats-input.conf, 10-syslog-filter.conf and 30-elasticsearch-output.conf. How should I use your code file name in my case ? Should I use 11-ad-monitoring.conf or just ad-monitoring.conf ? These files are saved in /etc/logstash/conf.d folder. Please advice

Sana
Sana
5 years ago

Please share logstash file, my fields for filters are not working, all data is coming with winlogbeat.event_id etc , but when I try to filter and add fields, it is not working. Also I am unable to make separate index for Security and other windows logs

Atif Baig
Atif Baig
5 years ago

I am using winlogbeats on my windows servers to send the logs to lagstash output. I am using 02-beats-input.conf, 10-syslog-filter.conf and 30-elasticsearch-output.conf. How should I use your code file name in my case ? Should I use 11-ad-monitoring.conf or just ad-monitoring.conf ? These files are saved in /etc/logstash/conf.d folder. Please advice

Mudit
Mudit
4 years ago

How do we send the logs from active directory that exists on premise to winlogbeat that exists on aws cloud?

Brajesh
Brajesh
4 years ago

Hey this is a beautiful article. I am just getting started with ELK. I am trying out 7.8 right now. So by default in /etc/logstash/conf.d folder I have one logstash.conf file with no filter.

Should I create another conf file with the input, filter, and output section?, while input section pointing to 5044 the default logstash port.

trackback

[…] Monitoring Active Directory with ELK – Syspanda […]