Hi there,
Trying to write a rule that looks for Windows/Directory Services event ID 2889 and re-writes one of the fields. The field contains an IP and a port (example: 172.189.20.201:59559) and I want just the IP (example: 172.189.20.201) The field is “winlogbeat_winlog_event_data_param1”.
Here is my rule:
rule "unsigned ldap IP parser"
when
contains(to_string($message.winlogbeat_event_code),"2889")
then
let temp = regex("^[^:]*",to_string($message.winlogbeat_winlog_event_data_param1));
set_field ("winlogbeat_client_ip",temp["0"]);
end
Here is an exampe log:
beats_type
winlogbeat
message
The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a clear text (non-SSL/TLS-encrypted) LDAP connection.
Client IP address:
192.168.2.3:51193
Identity the client attempted to authenticate as:
win.local/berp
Binding Type:
0
source
dc4
timestamp
2022-04-29 16:13:39.243 -07:00
winlogbeat_@metadata_beat
winlogbeat
winlogbeat_@metadata_type
_doc
winlogbeat_@metadata_version
7.11.1
winlogbeat_@timestamp
2022-04-29 16:13:39.243 -07:00
winlogbeat_agent_ephemeral_id
6d35cc06-cc43-42b6-b171-e8c973edeeca
winlogbeat_agent_hostname
dc4
winlogbeat_agent_id
f4326cde-ab08-434c-bccb-15bde0aecae0
winlogbeat_agent_name
dc4
winlogbeat_agent_type
winlogbeat
winlogbeat_agent_version
7.11.1
winlogbeat_collector_node_id
dc4
winlogbeat_ecs_version
1.7.0
winlogbeat_event_action
LDAP Interface
winlogbeat_event_code
2889
winlogbeat_event_created
2022-04-29 16:13:40.675 -07:00
winlogbeat_event_kind
event
winlogbeat_event_provider
Microsoft-Windows-ActiveDirectory_DomainService
winlogbeat_host_name
dc4.win.local
winlogbeat_log_level
information
winlogbeat_tags
["windows"]
winlogbeat_winlog_api
wineventlog
winlogbeat_winlog_channel
Directory Service
winlogbeat_winlog_computer_name
dc4.win.local
winlogbeat_winlog_event_data_param1
192.168.2.3:51193
winlogbeat_winlog_event_data_param2
win.local/berp
winlogbeat_winlog_event_data_param3
0
winlogbeat_winlog_event_id
2889
winlogbeat_winlog_keywords
["Classic"]
winlogbeat_winlog_process_pid
688
winlogbeat_winlog_process_thread_id
2692
winlogbeat_winlog_provider_guid
{0e8478c5-3605-4e8c-8497-1e730c959516}
winlogbeat_winlog_provider_name
Microsoft-Windows-ActiveDirectory_DomainService
winlogbeat_winlog_record_id
5374839
winlogbeat_winlog_task
LDAP Interface
winlogbeat_winlog_user_domain
NT AUTHORITY
winlogbeat_winlog_user_identifier
S-1-5-7
winlogbeat_winlog_user_name
ANONYMOUS LOGON
winlogbeat_winlog_user_type
Well Known Group
Using Graylog version 4.2.7. Thanks!
-Blue