Hello @BarryBurton,
Why do you bother and waste time/giving you headhache by creating regex when Winlogbeat do the work for you ?
I know writing down regex can be a challenge (and give some achievement happiness) but I suggest you to use Winlogbeat agent for Windows Logs as it parses and extract automatically all the “subfields” of Windows Events.
- Take a look at my Winlogbeat Sidecar configuration:
# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}
output.logstash:
hosts: ["graylog.lab.lan:5044"]
path.data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
path.logs: C:\Program Files\Graylog\sidecar\logs
path.module: C:\Program Files\Graylog\sidecar\module
winlogbeat.event_logs:
#FileSystem Monitor
- name: Security
event_id: 4656, 4663, 4670, 4907, 5140, 5142-5145
ignore_older: 24h
tags: [filesystem]
processors:
- script:
lang: javascript
id: security
file: C:\Program Files\Graylog\sidecar\module\security\config\winlogbeat-security.js
- drop_event.when.not.or:
- equals.winlog.event_data.ObjectType: "File"
- drop_event.when.or:
- regexp.winlog.event_data.winlog_task: 'Authorization Policy Change'
- regexp.winlog.event_data.winlog_task: 'Audit Policy Change'
- equals.winlog.event_data.winlog_task: "Registry"
- equals.winlog.event_data.winlog_task: "Kernel Object"
- equals.winlog.event_data.SubjectUserSid: 'S-1-5-18'
- equals.winlog.event_data.SubjectUserSid: 'S-1-5-19'
#cant see the diff between human/computer action opening a folder, too many logs
- regexp.winlog.event_data.AccessList: '^%%4416.*'
# dont need to know who read which permission
- regexp.winlog.event_data.AccessList: '^%%1538.*'
- regexp.winlog.event_data.AccessList: '^%%1539.*'
- regexp.winlog.event_data.AccessList: '^%%1542.*'
#we dont need to monitor synchronize status event
- regexp.winlog.event_data.AccessList: '^%%1541.*'
#we do not need to know who read/write extended attribute
- regexp.winlog.event_data.AccessList: '^%%4419.*'
- regexp.winlog.event_data.AccessList: '^%%4420.*'
#computers always executing dll which gives too many logs
- regexp.winlog.event_data.AccessList: '^%%4421.*'
#too many logs for ReadAttributes event, on everyaction, it reads attribute
- regexp.winlog.event_data.AccessList: '^%%4423.*'
- regexp.winlog.event_data.AccessList: '^%%4424.*'
#dont need to know some activites automated by the system using user permission
- regexp.winlog.event_data.ObjectName: '^(?i)C\:\\Users\\[a-zA-Z0-9._~-]+\\AppData\\Local\\Microsoft\\Windows.*'
- regexp.winlog.event_data.ObjectName: '^(?i)C\:\\Users\\[a-zA-Z0-9._~-]+\\AppData\\Local\\Microsoft\\PenWorkspace.*'
- regexp.winlog.event_data.ObjectName: '^(?i)C\:\\Users\\[a-zA-Z0-9._~-]+\\AppData\\Local\\Microsoft\\CLR_v4.0.*'
- regexp.winlog.event_data.ObjectName: '^(?i)C\:\\Users\\[a-zA-Z0-9._~-]+\\AppData\\Local\\Microsoft\\Internet Explorer\\CacheStorage.*'
- regexp.winlog.event_data.ObjectName: '^(?i)C\:\\Users\\[a-zA-Z0-9._~-]+\\AppData\\Local\\Microsoft\\Windows\\Recent\\AutomaticDestinations.*'
- regexp.winlog.event_data.ObjectName: '^(?i)C\:\\Users\\[a-zA-Z0-9._~-]+\\AppData\\Local\\Packages.*'
- regexp.winlog.event_data.ObjectName: '^(?i)C\:\\Users\\[a-zA-Z0-9._~-]+\\AppData\\Local\\Google\\Chrome\\User Data.*'
- regexp.winlog.event_data.ObjectName: '^(?i)C\:\\Users\\[a-zA-Z0-9._~-]+\\AppData\\Local\\Google\\Chrome\\Application\\SetupMetrics.*'
- regexp.winlog.event_data.ObjectName: '^(?i)C\:\\Users\\[a-zA-Z0-9._~-]+\\AppData\\Local\\BraveSoftware\\Brave-Browser\\User Data.*'
- regexp.winlog.event_data.ObjectName: '^(?i)C\:\\Users\\[a-zA-Z0-9._~-]+\\AppData\\Local\\Microsoft\\Edge\\User Data.*'
- regexp.winlog.event_data.ObjectName: '^(?i)C\:\\Users\\[a-zA-Z0-9._~-]+\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\[a-zA-Z0-9._~-]+\\cache2.*'
- regexp.winlog.event_data.ObjectName: '^(?i)C\:\\Users\\[a-zA-Z0-9._~-]+\\AppData\\Local\\Temp.*'
- regexp.winlog.event_data.ObjectName: '^(?i)C\:\\Users\\[a-zA-Z0-9._~-]+\\AppData\\Local\\D3DSCache.*'
- regexp.winlog.event_data.ObjectName: '^(?i)C\:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Microsoft\\Windows\\DeliveryOptimization.*'
- regexp.winlog.event_data.ObjectName: '^(?i)C\:\\ProgramData\\NVIDIA Corporation\\Drs.*'
- regexp.winlog.event_data.ObjectName: '^(?i)C\:\\ProgramData\\USOShared\\Logs.*'
- regexp.winlog.event_data.ObjectName: '^(?i)C\:\\Windows\\Logs.*'
- regexp.winlog.event_data.ObjectName: '^(?i)C\:\\Windows\\System32\\LogFiles.*'
- regexp.winlog.event_data.ObjectName: '^(?i)C\:\\Users\\[a-zA-Z0-9._~-]+\\AppData\\Local\\Microsoft\\Token\\Cache.*'
- regexp.winlog.event_data.ObjectName: '^(?i)C\:\\Users\\[a-zA-Z0-9._~-]+\\AppData\\Roaming\\Microsoft.*'
- regexp.winlog.event_data.ObjectName: '^(?i)C\:\\Users\\[a-zA-Z0-9._~-]+\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache.*'
#dont need to know recycle bin activites, we already have the Delete event (%%1537)
- regexp.winlog.event_data.ObjectName: '^(?i)C\:\\\$Recycle.Bin.*'
##### ******* Windows OS ******** #######
- name: Security
event_id: 4608, 4610, 4611, 4614, 4622, 4697, 4719, 4817, 4826, 4902, 4904, 4905, 4906, 4908, 4912
ignore_older: 48h
tags: [windowsos]
processors:
- script:
lang: javascript
id: security
file: C:\Program Files\Graylog\sidecar\module\security\config\winlogbeat-security.js
- drop_event.when:
and:
- equals.winlog.event_data.SubjectUserSid: 'S-1-5-18'
- name: System
event_id: 12, 13, 1074
ignore_older: 24h
tags: [windowsos]
provider:
- Microsoft-Windows-Kernel-General
- USER32
- name: System
event_id: 16962, 16965, 16968, 16969, 41, 1001, 6008, 4621
ignore_older: 24h
tags: [windowsos]
- name: Microsoft-Windows-SMBServer/Audit
event_id: 3000
ignore_older: 24h
tags: [windowsos]
provider:
- Microsoft-Windows-SMBServer
##### ******* Windows USB ******** #######
- name: Microsoft-Windows-DriverFrameworks-UserMode/Operational
level: 'critical, error'
event_id: 2003, 2102
ignore_older: 24h
tags: [windowsusb]
- name: Microsoft-Windows-Kernel-PnP/Configuration
tags: [windowsusb]
processors:
- drop_event.when.not:
and:
- equals.winlog.event_data.DriverName: ""usbstor.inf""
event_id: 400, 410
ignore_older: 24h
tags: [windowsusb]
level: information
provider:
- Microsoft-Windows-Kernel-PnP
- name: Security
event_id: 6416, 6419-6424
ignore_older: 24h
tags: [windowsusb]
processors:
- script:
lang: javascript
id: security
file: C:\Program Files\Graylog\sidecar\module\security\config\winlogbeat-security.js
- drop_event.when.or:
- regexp.winlog.event_data.DeviceDescription: '^Microsoft Print to PDF.*'
- regexp.winlog.event_data.DeviceDescription: '^Microsoft XPS Document Writer.*'
- regexp.winlog.event_data.DeviceDescription: '^Generic Non-PnP Monitor.*'
##### ******* Windows Registry ******** #######
- name: Security
event_id: 4657
ignore_older: 24h
tags: [windowsregistry]
processors:
- script:
lang: javascript
id: security
file: C:\Program Files\Graylog\sidecar\module\security\config\winlogbeat-security.js
- drop_event.when.not.or:
- equals.winlog.event_data.OperationType: '%%1904'
- equals.winlog.event_data.OperationType: '%%1905'
- equals.winlog.event_data.OperationType: '%%1906'
- drop_event.when.not.or:
- regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\Scripts\\Startup.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\Scripts\\Shutdown.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\AlternateShell.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Active Setup\\Installed Components.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SYSTEM\\CurrentControlSet\\Services.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SharedTaskScheduler.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SharedTaskScheduler.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellServiceObjects.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellServiceObjects.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\Drive\\ShellEx\\ContextMenuHandlers.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\Directory\\ShellEx\\ContextMenuHandlers.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\Directory\\ShellEx\\DragDropHandlers.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\Directory\\ShellEx\\CopyHookHandlers.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\Directory\\Background\\ShellEx\\ContextMenuHandlers.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\Folder\\ShellEx\\ContextMenuHandlers.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\Folder\\ShellEx\\DragDropHandlers.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellIconOverlayIdentifiers.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellIconOverlayIdentifiers.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\WinLogon\\GPExtensions.*'
##### ******* Windows Firewall ******** #######
- name: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
event_id: 2002, 2004, 2005, 2006, 2009, 2033, 2099, 2097, 2010
ignore_older: 24h
tags: [windowsfirewall]
level: err, info
provider:
- Microsoft-Windows-Windows Firewall With Advanced Security
- name: Security
event_id: 4944-4954, 4956-4958, 5024, 5025, 5037, 5027-5030, 5032-5035, 5031, 5150, 5151, 5154-5157, 5159
ignore_older: 24h
tags: [windowsfirewall]
processors:
- script:
lang: javascript
id: security
file: C:\Program Files\Graylog\sidecar\module\security\config\winlogbeat-security.js
- drop_event.when.or:
- regexp.winlog.event_data.DestAddress: '239.255.255.250'
- regexp.winlog.event_data.DestAddress: '((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?'
- regexp.winlog.event_data.Application: 'dns.exe'
##### ******* Windows Service ******** #######
- name: System
event_id: 7022-7024, 7026, 7031, 7032, 7034, 7040, 7045
ignore_older: 24h
tags: [windowsservice]
level: err, info, crit, warn
provider:
- Service Control Manager
processors:
- drop_event.when.or:
- regexp.winlog.event_data.param1: '^Programme d’installation pour les modules Windows.*'
- regexp.winlog.event_data.param1: '^Service de transfert intelligent en arrière-plan.*'
##### ******* Windows EventLog ******** #######
- name: System
event_id: 104
ignore_older: 24h
tags: [windowseventlog]
level: info
provider:
- Microsoft-Windows-Eventlog
- name: Security
event_id: 1100, 1104, 1105, 1108
ignore_older: 24h
tags: [windowseventlog]
processors:
- script:
lang: javascript
id: security
file: C:\Program Files\Graylog\sidecar\module\security\config\winlogbeat-security.js
- name: Security
event_id: 1102
ignore_older: 24h
tags: [windowseventlog]
level: info
provider:
- Microsoft-Windows-Eventlog
processors:
- script:
lang: javascript
id: security
file: C:\Program Files\Graylog\sidecar\module\security\config\winlogbeat-security.js
##### ******* Windows PowerShell ******** #######
- name: Windows PowerShell
event_id: 400, 403, 600, 800
ignore_older: 48h
tags: [powershell-legacy]
processors:
- script:
lang: javascript
id: powershell
file: C:\Program Files\Graylog\sidecar\module\powershell\config\winlogbeat-powershell.js
- name: Microsoft-Windows-PowerShell/Operational
event_id: 4103, 4105, 4106
ignore_older: 48h
tags: [powershell]
processors:
- script:
lang: javascript
id: powershell
file: C:\Program Files\Graylog\sidecar\module\powershell\config\winlogbeat-powershell.js
- drop_event.when.or:
- equals.winlog.event_id: 4104
- equals.winlog.event_id: 4100
- equals.winlog.event_id: 32784
##### ******* Windows Privilege ******** #######
- name: Security
event_id: 4673, 4674, 4985
ignore_older: 24h
tags: [windowsprivilege]
processors:
- script:
lang: javascript
id: security
file: C:\Program Files\Graylog\sidecar\module\security\config\winlogbeat-security.js
##### ******* Windows Process ******** #######
- name: Security
event_id: 4688, 4689
ignore_older: 24h
tags: [windowsprocess]
processors:
- script:
lang: javascript
id: security
file: C:\Program Files\Graylog\sidecar\module\security\config\winlogbeat-security.js
##### ******* Windows Task ******** #######
- name: Microsoft-Windows-TaskScheduler/Operational
event_id: 106, 129, 141, 142, 200, 201
ignore_older: 24h
tags: [windowstask]
provider:
- Microsoft-Windows-TaskScheduler
- name: Security
event_id: 4698-4702
ignore_older: 24h
tags: [windowstask]
processors:
- script:
lang: javascript
id: security
file: C:\Program Files\Graylog\sidecar\module\security\config\winlogbeat-security.js
##### ******* DNS Client ******** #######
- name: Microsoft-Windows-DNS-Client/Operational
event_id: 3006, 3008, 3010, 3018
ignore_older: 24h
tags: [windowsdnsclient]
processors:
- drop_event.when:
or:
- equals.winlog.event_data.QueryOptions: '140737488355328'
- equals.winlog.event_data.QueryResults: ''
##### ******* Windows RDP ******** #######
- name: Microsoft-Windows-TerminalServices-RDPClient/Operational
ignore_older: 24h
tags: [windowsrdp]
level: crit, error, info, warn
- name: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
ignore_older: 24h
tags: [windowsrdp]
level: crit, error, info, warn
##### ******* Account Lockout & Auth ******** #######
- name: Security
event_id: 4624-4627, 4634, 4647, 4649, 4672, 4675, 4740, 4774-4779, 4800-4803, 4964, 5378
level: info
ignore_older: 24h
tags: [auth]
provider:
- Microsoft-Windows-Security-Auditing
processors:
- script:
lang: javascript
id: security
file: C:\Program Files\Graylog\sidecar\module\security\config\winlogbeat-security.js
- drop_event.when:
or:
- equals.winlog.event_data.TargetUserSid: 'S-1-5-18'
- regexp.winlog.event_data.TargetUserName: '.*\$'
##### ******* Windows Defender ******** #######
- name: Microsoft-Windows-Windows Defender/Operational
event_id: 1006-1009, 1116-1119
ignore_older: 24h
tags: [windowsdefender]
And the sidecar configuration on your Windows host:
server_url: "https://graylog.lab.lan/api"
server_api_token: "paste_your_token_here"
node_id: "file:C:\\Program Files\\Graylog\\sidecar\\node-id"
node_name: ""
update_interval: 10
tls_skip_verify: true
send_status: true
tags:
- winlogbeat
- filebeat-windows-firewall
collector_binaries_accesslist:
- "C:\\Program Files\\Graylog\\sidecar\\winlogbeat.exe"
- "C:\\Program Files\\Graylog\\sidecar\\filebeat.exe"
Also make sure to have the Winlogbeat Modules:
Winlogbeat Modules especially the security module allow Winlogbeat extract from XML directly and extract more data.