Logstash sysmon config working

- rearranged the sysmon logstash configuration and fixed syntax issues
- deleted separate configs per log names
- got it back to a few logstash configs only for now

logstash/pipeline/02-beats-input.conf

@@ -1,7 +1,7 @@
 input {
-	beats {
-		port => 5044
-		add_field => { "[@metadata][source]" => "winlogbeat"}
-		ssl => false
-	}
+  beats {
+    port => 5044
+    add_field => { "[@metadata][source]" => "winlogbeat"}
+    ssl => false
+  }
 }

logstash/pipeline/11-sysmon-filter.conf

@@ -1,67 +1,162 @@
 filter {
-    if [Channel] == "Microsoft-Windows-Sysmon/Operational" {
-        if [event_id] == 1 {
-            kv {
-                source => "[event_data][Hashes]"
-                field_split => ","
-                value_split => ":"
-                include_keys => ["SHA1", "MD5", "IMPHASH"]
-            }
-        }
-        mutate {
-            rename => { "[event_data][CommandLine" => "[process][commandline]" } 
-            rename => { "[event_data][CurrentDirectory" => "current_directory" }
-            rename => { "[event_data][Hashes][SHA1]" => "sha1" }
-            rename => { "[event_data][Hashes][MD5]" => "md5" }
-            rename => { "[event_data][Hashes][IMPHASH]" => "imphash" }
-            rename => { "[event_data][Image]" => "process"}
-            rename => { "[event_data][ImageLoaded" => "[process][module][loaded]"}
-            rename => { "[event_data][Signature]" => "[process][module][signature]"}
-            rename => { "[event_data][Signature]" => "[process][module][signature][status]"}
-            rename => { "[event_data][Signature]" => "[process][module][signed"}
-            rename => { "[event_data][IntegrityLevel]" => "[integrity][level]"}
-            rename => { "[event_data][LogonGuid]" => "[logon][guid]"}
-            rename => { "[event_data][ParentCommandLine]" => "[parent][process][commandline]"}
-            rename => { "[event_data][ParentImage]" => "[parent][process]"}
-            rename => { "[event_data][ParentProcessGuid]" => "[parent][process][guid]"}
-            rename => { "[event_data][ParentProcessId]" => "[parent][process][id]"}
-            rename => { "[event_data][ProcessGuid]" => "[process][guid]"}
-            rename => { "[event_data][ProcessId]" => "[process][id]"}
-            rename => { "[event_data][TerminalSessionId]" => "[terminal][session][id]"}
-            rename => { "[event_data][User]" => "user" }
-            rename => { "[event_data][NewThreatId]" => "[process][module][threadid]" }
-            rename => { "[event_data][StartAddress]" => "[process][module][start][address]" }
-            rename => { "[event_data][StartFunction]" => "[process][module][start][function]" }
-            rename => { "[event_data][StartModule]" => "[process][module][start]" }
-            rename => { "[event_data][Device]" => "Device" }
-            rename => { "[event_data][TargetFilename]" => "[file][name]" }
-            rename => { "[event_data][CreationUtcTime]" => "[file][time][creation]" }
-            rename => { "[event_data][CallTrace]" => "[process][access][calltrace]" }
-            rename => { "[event_data][GrantedAccess]" => "[process][access][code]" }
-            rename => { "[event_data][SourceImage]" => "[process][source]" }
-            rename => { "[event_data][SourceProcessGUID]" => "[process][source][guid]" }
-            rename => { "[event_data][SourceProcessId]" => "[process][source][id]" }
-            rename => { "[event_data][SourceThreadId]" => "[process][source][threatid]" }
-            rename => { "[event_data][TargetImage]" => "[process][target]" }
-            rename => { "[event_data][TargetProcessGUID]" => "[process][target][guid]" }
-            rename => { "[event_data][TargetProcessId]" => "[process][target][id]" }
-            rename => { "[event_data][DestinationHostname]" => "[destination][hostname]" }
-            rename => { "[event_data][DestinationIp]" => "[destination][ip]" }
-            rename => { "[event_data][DestinationIsIpv6]" => "[destination][is][ipv6]" }
-            rename => { "[event_data][DestinationPort]" => "[destination][port][number]" }
-            rename => { "[event_data][DestinationPortName]" => "[destination][port][name]" }
-            rename => { "[event_data][Initiated]" => "initiated" }
-            rename => { "[event_data][Protocol]" => "protocol" }
-            rename => { "[event_data][SourceHostname]" => "[source][hostname]" }
-            rename => { "[event_data][SourceIp]" => "[source][ip]" }
-            rename => { "[event_data][SourceIsIpv6]" => "[source][is][ipv6]" }
-            rename => { "[event_data][SourcePort]" => "[source][port][number]" }
-            rename => { "[event_data][SourcePortName]" => "[source][port][name]" }
-            rename => { "[event_data][EventType]" => "[registry][event][type]" }
-            rename => { "[event_data][TargetObject]" => "[registry][key]" }
-            rename => { "[event_data][Details]" => "[registry][details]" }
-            rename => { "[event_data][PipeName]" => "[pipe][name]" }
-            rename => { "[event_data][UtcTime]" => "[event][timestamp][utc]"}
+  if [log_name] == "Microsoft-Windows-Sysmon/Operational"{
+    if [event_id] == 1 {
+      kv {
+        source => "[event_data][Hashes]"
+        field_split => ","
+        value_split => "="
+        target => [hash]
+      }
+      mutate {
+        remove_field => "[event_data][Hashes]"
+      }
+      mutate {
+        rename => {
+          "[event_data][CommandLine]" => "[process][commandline]"
+          "[event_data][CurrentDirectory]" => "[process][currentdirectory]"
+          "[event_data][Image]" => "[process][name]"
+          "[event_data][ParentImage]" => "[process][parent][name]"
+          "[event_data][ParentCommandLine]" => "[process][parent][commandline]"
+          "[event_data][IntegrityLevel]" => "[process][integritylevel]"
+          "[event_data][LogonGuid]" => "[process][logonguid]"
+          "[event_data][LogonId]" => "[process][logonid]"
+          "[event_data][ParentProcessGuid]" => "[process][parent][guid]"
+          "[event_data][ParentProcessId]" => "[process][parent][id]"
+          "[event_data][ProcessGuid]" => "[process][guid]"
+          "[event_data][ProcessId]" => "[process][id]"
+          "[event_data][TerminalSessionId]" => "[process][terminalsessionid]"
+          "[event_data][User]" => "username"
         }
+        remove_field => ["message"]
+      }
     }
-}
+    if [event_id] == 3 {
+      mutate {
+        rename => {
+          "[event_data][DestinationHostname]" => "[destination][hostname]"
+          "[event_data][DestinationIp]" => "[destination][ip]"
+          "[event_data][DestinationIsIpv6]" => "[destination][isipv6]"
+          "[event_data][DestinationPort]" => "[destination][port][number]"
+          "[event_data][DestinationPortName]" => "[destination][port][name]"
+          "[event_data][Image]" => "[process][name]"
+          "[event_data][Initiated]" => "[network][initiated]"
+          "[event_data][ProcessGuid]" => "[process][guid]"
+          "[event_data][ProcessId]" => "[process][id]"
+          "[event_data][Protocol]" => "[network][protocol]"
+          "[event_data][SourceHostname]" => "[source][hostname]"
+          "[event_data][SourceIp]" => "[source][ip]"
+          "[event_data][SourceIsIpv6]" => "[source][isipv6]"
+          "[event_data][SourcePort]" => "[source][port][number]"
+          "[event_data][SourcePortName]" => "[source][port][name]"
+          "[event_data][User]" => "username"
+        }
+        remove_field => ["message"]
+      }
+    }
+    if [event_id] == 7 {
+      kv {
+        source => "[event_data][Hashes]"
+        field_split => ","
+        value_split => "="
+        target => [hash]
+      }
+      mutate {
+        remove_field => "[event_data][Hashes]"
+      }
+      mutate {
+        rename => {
+          "[event_data][Image]" => "[process][name]"
+          "[event_data][ProcessGuid]" => "[process][guid]"
+          "[event_data][ProcessId]" => "[process][id]"
+          "[event_data][ImageLoaded]" => "[process][image][loaded]"
+          "[event_data][Signature]" => "[process][image][signature]"
+          "[event_data][SignatureStatus]" => "[process][image][signaturestatus]"
+          "[event_data][Signed]" => "[process][image][signed]"
+        }
+        remove_field => ["message"]
+      }
+    }
+    if [event_id] == 8 {
+      mutate {
+        rename => {
+          "[event_data][NewThreadId]" => "[process][newthreadid]"
+          "[event_data][SourceImage]" => "[process][source][image]"
+          "[event_data][SourceProcessGuid]" => "[process][source][guid]"
+          "[event_data][SourceProcessId]" => "[process][source][id]"
+          "[event_data][StartAddress]" => "[process][startaddress]"
+          "[event_data][StartFunction]" => "[process][startfunction]"
+          "[event_data][StartModule]" => "[process][startimage]"
+          "[event_data][TargetImage]" => "[process][target][image]"
+          "[event_data][TargetProcessGuid]" => "[process][target][guid]"
+          "[event_data][TargetProcessId]" => "[process][target][id]"
+        }
+        remove_field => ["message"]
+      }
+    }
+    if [event_id] == 9 {
+      mutate {
+        rename => {
+          "[event_data][Device]" => "[rawaccess][read][[device]"
+          "[event_data][Image]" => "[process][name]"
+          "[event_data][ProcessGuid]" => "[process][guid]"
+          "[event_data][ProcessId]" => "[process][id]"
+        }
+        remove_field => ["message"]
+      }
+    }
+    if [event_id] == 10 {
+      mutate {
+        rename => {
+          "[event_data][CallTrace]" => "[process][calltrace]"
+          "[event_data][GrantedAccess]" => "[process][grantedaccess]"
+          "[event_data][SourceImage]" => "[process][source][image]"
+          "[event_data][SourceProcessGUID]" => "[process][source][guid]"
+          "[event_data][SourceProcessId]" => "[process][source][id]"
+          "[event_data][SourceThreadId]" => "[process][source][threadid]"
+          "[event_data][TargetImage]" => "[process][target][image]"
+          "[event_data][TargetProcessGUID]" => "[process][target][guid]"
+          "[event_data][TargetProcessId]" => "[process][target][id]"
+        }
+        remove_field => ["message"]
+      }
+    }
+    if [event_id] == 11 {
+      mutate {
+        rename => {
+          "[event_data][CreationUtcTime]" => "[file][creationtime][utc]"
+          "[event_data][Image]" => "[process][name]"
+          "[event_data][ProcessGuid]" => "[process][guid]"
+          "[event_data][ProcessId]" => "[process][id]"
+          "[event_data][TargetFilename]" => "[file][name]"
+        }
+        remove_field => ["message"]
+      }
+    }
+    if [event_id] == 12 or [event_id] == 13 {
+      mutate {
+        rename => {
+          "[event_data][EventType]" => "[registry][eventtype]"
+          "[event_data][Image]" => "[process][name]"
+          "[event_data][ProcessGuid]" => "[process][guid]"
+          "[event_data][ProcessId]" => "[process][id]"
+          "[event_data][TargetObject]" => "[registry][target][object]"
+          "[event_data][Details]" => "[registry][details]"
+        }
+        remove_field => ["message"]
+      }
+    }
+    if [event_id] == 18 or [event_id] == 17 {
+      mutate {
+        rename => {
+          "[event_data][Image]" => "[process][name]"
+          "[event_data][ProcessGuid]" => "[process][guid]"
+          "[event_data][ProcessId]" => "[process][id]"
+          "[event_data][PipeName]" => "[pipe][name]"
+        }
+        remove_field => ["message"]
+      }
+    }
+    mutate { rename => { "[event_data][UtcTime]" => "[event][creationtime][utc]" } }
+  }  
+}
+

logstash/pipeline/50-elasticsearch-output.conf

@@ -1,49 +1,11 @@
 output {
-	if [@metadata][source] == "winlogbeat" {
-		if [Channel] == "Microsoft-Windows-Sysmon/Operational" {
-			elasticsearch {
-				hosts => ["elasticsearch:9200", "127.0.0.1:9200"]
-				sniffing => true
-				manage_template => false 
-				index => "windows_sysmon-%{+YYYY.MM.dd}"
-				document_type => "%{[@metadata][type]}"
-			}
-		}
-		if [Channel] == "System" {
-			elasticsearch {
-				hosts => ["elasticsearch:9200", "127.0.0.1:9200"]
-				sniffing => true
-				manage_template => false 
-				index => "windows_system-%{+YYYY.MM.dd}"
-				document_type => "%{[@metadata][type]}"
-			}
-		}
-		if [Channel] == "Security"{
-			elasticsearch {
-				hosts => ["elasticsearch:9200", "127.0.0.1:9200"]
-				sniffing => true
-				manage_template => false 
-				index => "windows_security-%{+YYYY.MM.dd}"
-				document_type => "%{[@metadata][type]}"
-			}
-		}
-		if [Channel] == "Application"{
-			elasticsearch {
-				hosts => ["elasticsearch:9200", "127.0.0.1:9200"]
-				sniffing => true
-				manage_template => false 
-				index => "windows_application-%{+YYYY.MM.dd}"
-				document_type => "%{[@metadata][type]}"
-			}
-		}
-		if [Channel] == "Microsoft-Windows-PowerShell/Operational"{
-			elasticsearch {
-				hosts => ["elasticsearch:9200", "127.0.0.1:9200"]
-				sniffing => true
-				manage_template => false 
-				index => "windows_powershell-%{+YYYY.MM.dd}"
-				document_type => "%{[@metadata][type]}"
-			}
-		}
-	}
+  if [@metadata][source] == "winlogbeat" {
+    elasticsearch {
+      hosts => ["elasticsearch:9200", "127.0.0.1:9200"]
+      sniffing => true
+      manage_template => false
+      index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
+      document_type => "%{[@metadata][type]}"
+    }
+  }
 }

logstash/pipeline/55-sysmon-output.conf

@@ -1,13 +0,0 @@
-output {
-	if [@metadata][source] == "winlogbeat" {
-		if [Channel] == "Microsoft-Windows-Sysmon/Operational" {
-			elasticsearch {
-				hosts => ["elasticsearch:9200", "127.0.0.1:9200"]
-				sniffing => true
-				manage_template => false 
-				index => "windows_sysmon-%{+YYYY.MM.dd}"
-				document_type => "%{[@metadata][type]}"
-			}
-		}
-    }
-}

logstash/pipeline/56-windows-system-output.conf

@@ -1,13 +0,0 @@
-output {
-	if [@metadata][source] == "winlogbeat" {
-		if [Channel] == "System" {
-			elasticsearch {
-				hosts => ["elasticsearch:9200", "127.0.0.1:9200"]
-				sniffing => true
-				manage_template => false 
-				index => "windows_system-%{+YYYY.MM.dd}"
-				document_type => "%{[@metadata][type]}"
-			}
-		}
-    }
-}

logstash/pipeline/57-windows-security.conf

@@ -1,13 +0,0 @@
-output {
-	if [@metadata][source] == "winlogbeat" {
-		if [Channel] == "Security"{
-			elasticsearch {
-				hosts => ["elasticsearch:9200", "127.0.0.1:9200"]
-				sniffing => true
-				manage_template => false 
-				index => "windows_security-%{+YYYY.MM.dd}"
-				document_type => "%{[@metadata][type]}"
-			}
-		}
-    }
-}

logstash/pipeline/58-windows-application.conf

@@ -1,13 +0,0 @@
-output {
-	if [@metadata][source] == "winlogbeat" {
-		if [Channel] == "Application"{
-			elasticsearch {
-				hosts => ["elasticsearch:9200", "127.0.0.1:9200"]
-				sniffing => true
-				manage_template => false 
-				index => "windows_application-%{+YYYY.MM.dd}"
-				document_type => "%{[@metadata][type]}"
-			}
-		}
-    }
-}

logstash/pipeline/59-windows-powershell.conf

@@ -1,13 +0,0 @@
-output {
-	if [@metadata][source] == "winlogbeat" {
-		if [Channel] == "Microsoft-Windows-PowerShell/Operational"{
-			elasticsearch {
-				hosts => ["elasticsearch:9200", "127.0.0.1:9200"]
-				sniffing => true
-				manage_template => false 
-				index => "windows_powershell-%{+YYYY.MM.dd}"
-				document_type => "%{[@metadata][type]}"
-			}
-		}
-	}
-}

logstash/pipeline/sysmon-filter.conf

@@ -1,67 +0,0 @@
-filter {
-    if [Channel] == "Microsoft-Windows-Sysmon/Operational" {
-        if [event_id] == 1 {
-            kv {
-                source => "[event_data][Hashes]"
-                field_split => ","
-                value_split => ":"
-                include_keys => ["SHA1", "MD5", "IMPHASH"]
-            }
-        }
-        mutate {
-            rename => { "[event_data][CommandLine" => "[process][commandline]" } 
-            rename => { "[event_data][CurrentDirectory" => "current_directory" }
-            rename => { "[event_data][Hashes][SHA1]" => "sha1" }
-            rename => { "[event_data][Hashes][MD5]" => "md5" }
-            rename => { "[event_data][Hashes][IMPHASH]" => "imphash" }
-            rename => { "[event_data][Image]" => "process"}
-            rename => { "[event_data][ImageLoaded" => "[process][module][loaded]"}
-            rename => { "[event_data][Signature]" => "[process][module][signature]"}
-            rename => { "[event_data][Signature]" => "[process][module][signature][status]"}
-            rename => { "[event_data][Signature]" => "[process][module][signed"}
-            rename => { "[event_data][IntegrityLevel]" => "[integrity][level]"}
-            rename => { "[event_data][LogonGuid]" => "[logon][guid]"}
-            rename => { "[event_data][ParentCommandLine]" => "[parent][process][commandline]"}
-            rename => { "[event_data][ParentImage]" => "[parent][process]"}
-            rename => { "[event_data][ParentProcessGuid]" => "[parent][process][guid]"}
-            rename => { "[event_data][ParentProcessId]" => "[parent][process][id]"}
-            rename => { "[event_data][ProcessGuid]" => "[process][guid]"}
-            rename => { "[event_data][ProcessId]" => "[process][id]"}
-            rename => { "[event_data][TerminalSessionId]" => "[terminal][session][id]"}
-            rename => { "[event_data][User]" => "user" }
-            rename => { "[event_data][NewThreatId]" => "[process][module][threadid]" }
-            rename => { "[event_data][StartAddress]" => "[process][module][start][address]" }
-            rename => { "[event_data][StartFunction]" => "[process][module][start][function]" }
-            rename => { "[event_data][StartModule]" => "[process][module][start]" }
-            rename => { "[event_data][Device]" => "Device" }
-            rename => { "[event_data][TargetFilename]" => "[file][name]" }
-            rename => { "[event_data][CreationUtcTime]" => "[file][time][creation]" }
-            rename => { "[event_data][CallTrace]" => "[process][access][calltrace]" }
-            rename => { "[event_data][GrantedAccess]" => "[process][access][code]" }
-            rename => { "[event_data][SourceImage]" => "[process][source]" }
-            rename => { "[event_data][SourceProcessGUID]" => "[process][source][guid]" }
-            rename => { "[event_data][SourceProcessId]" => "[process][source][id]" }
-            rename => { "[event_data][SourceThreadId]" => "[process][source][threatid]" }
-            rename => { "[event_data][TargetImage]" => "[process][target]" }
-            rename => { "[event_data][TargetProcessGUID]" => "[process][target][guid]" }
-            rename => { "[event_data][TargetProcessId]" => "[process][target][id]" }
-            rename => { "[event_data][DestinationHostname]" => "[destination][hostname]" }
-            rename => { "[event_data][DestinationIp]" => "[destination][ip]" }
-            rename => { "[event_data][DestinationIsIpv6]" => "[destination][is][ipv6]" }
-            rename => { "[event_data][DestinationPort]" => "[destination][port][number]" }
-            rename => { "[event_data][DestinationPortName]" => "[destination][port][name]" }
-            rename => { "[event_data][Initiated]" => "initiated" }
-            rename => { "[event_data][Protocol]" => "protocol" }
-            rename => { "[event_data][SourceHostname]" => "[source][hostname]" }
-            rename => { "[event_data][SourceIp]" => "[source][ip]" }
-            rename => { "[event_data][SourceIsIpv6]" => "[source][is][ipv6]" }
-            rename => { "[event_data][SourcePort]" => "[source][port][number]" }
-            rename => { "[event_data][SourcePortName]" => "[source][port][name]" }
-            rename => { "[event_data][EventType]" => "[registry][event][type]" }
-            rename => { "[event_data][TargetObject]" => "[registry][key]" }
-            rename => { "[event_data][Details]" => "[registry][details]" }
-            rename => { "[event_data][PipeName]" => "[pipe][name]" }
-            rename => { "[event_data][UtcTime]" => "[event][timestamp][utc]"}
-        }
-    }
-}