I am using Graylog (winlogbeats) to forward windows events to a Linux based UF. I have a props.conf on my indexer and SH to set field alias since Graylog forwards fields with a winlogbeats preface. I have 2 questions:
1. if I want to whitelist\blacklist on the UF would I look for the fields with windlogbeats?
so instead of this: blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
would I replace it with this: blacklist1 = Winlogbeat_EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
2. should I or should I not put the props.conf on the linux UF?
it looks like this:
[graylog:windows]
SHOULD_LINEMERGE = false
TIME_FORMAT=%Y-%b-%d %H:%M:%S
TZ = UTC
FIELDALIAS-winlogbeat_as_host = winlogbeat_fields_collector_node_id as host
FIELDALIAS-winlogbeat_as_eventid = winlogbeat_event_id as EventCode
FIELDALIAS-winlogbeat_as_processname = winlogbeat_event_data_ProcessName as Process_Name
FIELDALIAS-winlogbeat_as_logonid = winlogbeat_event_data_SubjectLogonId as Logon_ID
FIELDALIAS-winlogbeat_as_user = winlogbeat_user_data_SubjectDomainName as user
FIELDALIAS-winlogbeat_as_src_user = winlogbeat_user_data_subjectDomainName as src_user
FIELDALIAS-winlogbeat_as_action = winlogbeat_keywords as action
FIELDALIAS-winlogbeat_as_security_id = winlogbeat_user_data_SubjectUserSid as Security_ID
FIELDALIAS-winlogbeat_as_account_domain = winlogbeat_user_data_SubjectDomainName as account_domain
Thanks!
↧