Querying Kibana for specific event types
1,262 views
Skip to first unread message
namobud...@gmail.com
Sep 19, 2016, 4:11:37 PM9/19/16
to ossec-list
Based on this storm center article:
I'm trying to figure out how to query Kibana for specific event ID numbers from the dashboard search area the article mentions. Is there a definitive guide for searching OSSEC with Kibana.
Jesus Linares
Sep 20, 2016, 3:56:44 AM9/20/16
to ossec-list
Hi,
In this case, you are filtering events with id 4625:
I assume you are sending the file alerts.json to elasticsearch.
in order to filter by an event ID of Windows, just use this query in the search bar of kibana:
decoder.name:"windows" AND id:"4625"2016 Sep 20 07:50:17 WinEvtLog: Security: AUDIT_FAILURE(4625): Microsoft-Windows-Security-Auditing: (no user): no domain: WIN-....: An account failed to log on...Regards.
namobud...@gmail.com
Sep 21, 2016, 9:55:17 AM9/21/16
to ossec-list
I tried this and it didn't work, I think because decoder.name doesn't exist in the logstash index. Instead of id, I have _id which is not a number but a character string.
Jesus Linares
Sep 22, 2016, 4:58:38 AM9/22/16
to ossec-list
Hi,
Review alerts.json in order to know if you have the decoder name and the event id extracted in fields. Also, check out your logstash mapping. If the fields are not extracted in alerts.json, you can not filter by them in kibana.
I did the query in Wazuh and it works, so I recommend you to try it. This is the documentation.
Regards.
Reply all
Reply to author
Forward
0 new messages