[ossec-list] Re: Rewrite output for accesses field in Windows Event 4656

[Nguyễn Đức Thịnh]

Thanks Pedro,
I just updated my configuration.
I share my filter block here in case someone read this topic and want 
complete guide.

filter {
  if [type] == "wazuh-alerts" {
    geoip {
        source => "srcip"
        target => "GeoLocation"
      }
    date {
        match   =>  ["timestamp", "ISO8601"]
        target  =>  "@timestamp"
    }
    mutate
    {
        gsub => ["accesses", "%%1537", "Delete"]
        gsub => ["accesses", "%%1538", "ReadControl"]
        gsub => ["accesses", "%%1539", "ReadControl"]
        gsub => ["accesses", "%%1540", "ReadControl"]
        gsub => ["accesses", "%%1541", "Synchronize"]
        gsub => ["accesses", "%%1542", "Synchronize"]
        gsub => ["accesses", "%%4416", "ReadData"]
        gsub => ["accesses", "%%4417", "WriteData"]
        gsub => ["accesses", "%%4418", "AppendData"]
        gsub => ["accesses", "%%4419", "ReadEA"]
        gsub => ["accesses", "%%4420", "WriteEA"]
        gsub => ["accesses", "%%4423", "ReadAttrib"]
        gsub => ["accesses", "%%4424", "WriteAttrib"]
        gsub => ["accesses", "%%1801", "Granted"]
        gsub => ["accesses", "%%1805", "NotGranted"]
        remove_field => [ "timestamp", "beat", "fields", "input_type", 
"tags", "count" ]
    }
  }
}

Thanks you

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.