I tried this and it didn't work, I think because decoder.name doesn't exist 
in the logstash index. Instead of id, I have _id which is not a number but 
a character string.

On Tuesday, September 20, 2016 at 3:56:44 AM UTC-4, Jesus Linares wrote:
>
> Hi,
>
> in order to filter by an event ID of Windows, just use this query in the 
> search bar of kibana:
> decoder.name:"windows" AND id:"4625"
>
> In this case, you are filtering events with id 4625:
> 2016 Sep 20 07:50:17 WinEvtLog: Security: AUDIT_FAILURE(*4625*): Microsoft
> -Windows-Security-Auditing: (no user): no domain: WIN-....: An account 
> failed to log on...
>
> I assume you are sending the file *alerts.json* to elasticsearch.
>
> Regards.
>
> On Monday, September 19, 2016 at 10:11:37 PM UTC+2, namobud...@gmail.com 
> wrote:
>>
>> Based on this storm center article:
>>
>> https://isc.sans.edu/forums/diary/Windows+Events+log+for+IRForensics+Part+1/21493/
>>
>> I'm trying to figure out how to query Kibana for specific event ID 
>> numbers from the dashboard search area the article mentions. Is there a 
>> definitive guide for searching OSSEC with Kibana.
>>
>>
>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to