Skip to content

Mike Simmons

My Workbench

  • Home
  • LinkedIn
  • Home
  • GrayLog
  • Graylog format AccessList For Windows file events

Graylog format AccessList For Windows file events

Posted on March 16, 2018March 16, 2018 By Mike No Comments on Graylog format AccessList For Windows file events
GrayLog

I setup Graylog to collect all the windows event logs including file event logs on the file servers at work. I noticed that the winlogbeat_event_data_AccessList field was not what the event did rather a %%#### code. I decided to build a pipeline to format the winlogbeat_event_data_AccessList field into a new field I designated as AccessList.

I created a stream dedicated for Windows events and the corresponding rule that all messages containing the Windows tag will route to the Windows stream. All my Graylog collectors for Windows have the Windows tag.

stream-windows screenshot
stream-windows screenshot

 

I than created a pipeline which I named “format access list” which contains 3 stages. The first stage (stage 0) I created one rule in it titled skip_accesslist and used the following code.

rule "skip_accesslist"
when
NOT has_field("AccessList")
then
end

I than created the next stage (stage 1) which contained one rule titled “winlogbeat_event_data_AccessList_exists” and used the following code.

rule "winlogbeat_event_data_AccessList_exists"
when
has_field("winlogbeat_event_data_AccessList")
then
set_field("AccessList", "|");
end

I than created the last stage (stage 2) which contained ten rules each to follow below.

rule "winlogbeat_event_data_AccessList_%%4423"
when
has_field("winlogbeat_event_data_AccessList") && to_bool(regex("%%4423", to_string($message.winlogbeat_event_data_AccessList)).matches)
then
let temp1 = concat(to_string($message.AccessList), "ReadAttributes|");
set_field("AccessList", temp1);
end


rule "winlogbeat_event_data_AccessList_%%4417"
when
has_field("winlogbeat_event_data_AccessList") && to_bool(regex("%%4417", to_string($message.winlogbeat_event_data_AccessList)).matches)
then
let temp1 = concat(to_string($message.AccessList), "WriteData_or_AddFile|");
set_field("AccessList", temp1);
end


rule "winlogbeat_event_data_AccessList_%%4416"
when
has_field("winlogbeat_event_data_AccessList") && to_bool(regex("%%4416", to_string($message.winlogbeat_event_data_AccessList)).matches)
then
let temp1 = concat(to_string($message.AccessList), "ReadData_or_ListDirectory|");
set_field("AccessList", temp1);
end


rule "winlogbeat_event_data_AccessList_%%1537"
when
has_field("winlogbeat_event_data_AccessList") && to_bool(regex("%%1537", to_string($message.winlogbeat_event_data_AccessList)).matches)
then
let temp1 = concat(to_string($message.AccessList), "Delete|");
set_field("AccessList", temp1);
end


rule "winlogbeat_event_data_AccessList_%%1538"
when
has_field("winlogbeat_event_data_AccessList") && to_bool(regex("%%1538", to_string($message.winlogbeat_event_data_AccessList)).matches)
then
let temp1 = concat(to_string($message.AccessList), "READ_CONTROL|");
set_field("AccessList", temp1);
end


rule "winlogbeat_event_data_AccessList_%%4424"
when
has_field("winlogbeat_event_data_AccessList") && to_bool(regex("%%4424", to_string($message.winlogbeat_event_data_AccessList)).matches)
then
let temp1 = concat(to_string($message.AccessList), "WriteAttributes|");
set_field("AccessList", temp1);
end


rule "winlogbeat_event_data_AccessList_%%1541"
when
has_field("winlogbeat_event_data_AccessList") && to_bool(regex("%%1541", to_string($message.winlogbeat_event_data_AccessList)).matches)
then
let temp1 = concat(to_string($message.AccessList), "SYNCHRONIZE|");
set_field("AccessList", temp1);
end


rule "winlogbeat_event_data_AccessList_%%1539"
when
has_field("winlogbeat_event_data_AccessList") && to_bool(regex("%%1539", to_string($message.winlogbeat_event_data_AccessList)).matches)
then
let temp1 = concat(to_string($message.AccessList), "WRITE_DAC|");
set_field("AccessList", temp1);
end


rule "winlogbeat_event_data_AccessList_%%4419"
when
has_field("winlogbeat_event_data_AccessList") && to_bool(regex("%%4419", to_string($message.winlogbeat_event_data_AccessList)).matches)
then
let temp1 = concat(to_string($message.AccessList), "ReadEA|");
set_field("AccessList", temp1);
end


rule "winlogbeat_event_data_AccessList_%%1540"
when
has_field("winlogbeat_event_data_AccessList") && to_bool(regex("%%1540", to_string($message.winlogbeat_event_data_AccessList)).matches)
then
let temp1 = concat(to_string($message.AccessList), "WRITE_OWNER|");
set_field("AccessList", temp1);
end

which allows for this:

Tags: graylog

Post navigation

❮ Previous Post: PowerShell exporting data easily from MSSQL into a CSV
Next Post: Graylog extractors for Sophos UTM logs ❯

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

I accept that my given data and my IP address is sent to a server in the USA only for the purpose of spam prevention through the Akismet program.More information on Akismet and GDPR.

Pages

  • LinkedIn

Recent Posts

  • PowerShell Anti-Idle Script
  • WSUS MMC Crash Due To XML Invalid Character!
  • Open Maintenance – Docker & CentOS 7
  • Powershell script to create user home directory and DFS namespace target
  • C# save DataTable to CSV easily

Recent Comments

    Archives

    • August 2022
    • March 2018
    • July 2017
    • August 2015

    Categories

    • Active Directory
    • C#
    • CentOS
    • Docker
    • GrayLog
    • MSSQL
    • Networking
    • PowerShell
    • Programming
    • Uncategorized
    • Windows
    • XML

    Meta

    • Log in
    • Entries feed
    • Comments feed
    • WordPress.org

    Copyright © 2023 Mike Simmons.

    Theme: Oceanly by ScriptsTown