I'm looking at aggregating data within the whole ELK stack (Elasticsearch/Logstash/Kibana) and I'm getting lots of good data from my windows systems. It's working very well, but when i get Windows Security Events, I would like to correlate windows event IDs to human readable events. (e.g. Event ID 4990 = User opens file, 4658 = User closes file)
I'm also looking to have multiple filters, kinda like a pivot table, where i can show which files encountered which Event IDs, grouped by user, and file.
I'm thinking it could look something like the following:
- User1
- file1
- Event1 (human readable event name)| message | time
- file2
- Event2 | message | time
- Event3 | message | time
- file1
- User2
- file3
- Event4 | message | time
- file3
Do any of you know how to do this, or know of resources where i can accomplish this myself?
It's frustrating because i have all of the data, but can't seem to make it look like what i want.
Best Answer
Ultimately for the most part these two features I've just learned to live without. Generally the data gets parsed down pretty well from filters, and fortunately Windows event logs already provide decent details of the event, so I just have learned to live with just digging into the message to get the information.