Review *alerts.json* in order to know if you have the decoder name and the 
event id extracted in fields. Also, check out your logstash mapping. If the 
fields are not extracted in alerts.json, you can not filter by them in 

I did the query in Wazuh and it works, so I recommend you to try it. This 
is the documentation 


On Wednesday, September 21, 2016 at 3:55:17 PM UTC+2, namobud...@gmail.com 
> I tried this and it didn't work, I think because decoder.name doesn't 
> exist in the logstash index. Instead of id, I have _id which is not a 
> number but a character string.
> On Tuesday, September 20, 2016 at 3:56:44 AM UTC-4, Jesus Linares wrote:
>> Hi,
>> in order to filter by an event ID of Windows, just use this query in the 
>> search bar of kibana:
>> decoder.name:"windows" AND id:"4625"
>> In this case, you are filtering events with id 4625:
>> 2016 Sep 20 07:50:17 WinEvtLog: Security: AUDIT_FAILURE(*4625*): 
>> Microsoft-Windows-Security-Auditing: (no user): no domain: WIN-....: An 
>> account failed to log on...
>> I assume you are sending the file *alerts.json* to elasticsearch.
>> Regards.
>> On Monday, September 19, 2016 at 10:11:37 PM UTC+2, namobud...@gmail.com 
>> wrote:
>>> Based on this storm center article:
>>> https://isc.sans.edu/forums/diary/Windows+Events+log+for+IRForensics+Part+1/21493/
>>> I'm trying to figure out how to query Kibana for specific event ID 
>>> numbers from the dashboard search area the article mentions. Is there a 
>>> definitive guide for searching OSSEC with Kibana.


You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to