Hi, Review *alerts.json* in order to know if you have the decoder name and the event id extracted in fields. Also, check out your logstash mapping. If the fields are not extracted in alerts.json, you can not filter by them in kibana.
I did the query in Wazuh and it works, so I recommend you to try it. This is the documentation <http://wazuh-documentation.readthedocs.io/en/latest/ossec_elk.html>. Regards. On Wednesday, September 21, 2016 at 3:55:17 PM UTC+2, namobud...@gmail.com wrote: > > I tried this and it didn't work, I think because decoder.name doesn't > exist in the logstash index. Instead of id, I have _id which is not a > number but a character string. > > On Tuesday, September 20, 2016 at 3:56:44 AM UTC-4, Jesus Linares wrote: >> >> Hi, >> >> in order to filter by an event ID of Windows, just use this query in the >> search bar of kibana: >> decoder.name:"windows" AND id:"4625" >> >> In this case, you are filtering events with id 4625: >> 2016 Sep 20 07:50:17 WinEvtLog: Security: AUDIT_FAILURE(*4625*): >> Microsoft-Windows-Security-Auditing: (no user): no domain: WIN-....: An >> account failed to log on... >> >> I assume you are sending the file *alerts.json* to elasticsearch. >> >> Regards. >> >> On Monday, September 19, 2016 at 10:11:37 PM UTC+2, namobud...@gmail.com >> wrote: >>> >>> Based on this storm center article: >>> >>> https://isc.sans.edu/forums/diary/Windows+Events+log+for+IRForensics+Part+1/21493/ >>> >>> I'm trying to figure out how to query Kibana for specific event ID >>> numbers from the dashboard search area the article mentions. Is there a >>> definitive guide for searching OSSEC with Kibana. >>> >>> >>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
