-
Notifications
You must be signed in to change notification settings - Fork 77
/
Copy pathwinlogbeat.yml
93 lines (86 loc) · 2.63 KB
/
winlogbeat.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
winlogbeat.event_logs:
- name: Application
ignore_older: 72h
- name: System
- name: Security
# processors:
# - script:
# lang: javascript
# id: security
# file: ${path.home}/module/security/config/winlogbeat-security.js
- name: Microsoft-Windows-Sysmon/Operational
# processors:
# - script:
# lang: javascript
# id: sysmon
# file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js
- name: Microsoft-windows-PowerShell/Operational
ignore_older: 30m
event_id: 4103, 4104
- name: Windows PowerShell
event_id: 400,600
ignore_older: 30m
- name: ForwardedEvents
ignore_older: 30m
- name: Microsoft-Windows-WMI-Activity/Operational
event_id: 5857,5858,5859,5860,5861
- name: WEC-Authentication
- name: WEC-Code-Integrity
- name: WEC-EMET
- name: WEC-Powershell
- name: WEC-Process-Execution
- name: WEC-Services
- name: WEC-WMI
- name: WEC16-Test
- name: WEC2-Application-Crashes
- name: WEC2-Applocker
- name: WEC2-Group-Policy-Errors
- name: WEC2-Object-Manipulation
- name: WEC2-Registry
- name: WEC2-Task-Scheduler
- name: WEC2-Windows-Defender
- name: WEC3-Account-Management
- name: WEC3-Drivers
- name: WEC3-External-Devices
- name: WEC3-Firewall
- name: WEC3-Print
- name: WEC3-Smart-Card
- name: WEC3-Windows-Diagnostics
- name: WEC4-Bits-Client
- name: WEC4-DNS
- name: WEC4-Hotpatching-Errors
- name: WEC4-Shares
- name: WEC4-System-Time-Change
- name: WEC4-Windows-Updates
- name: WEC4-Wireless
- name: WEC5-Autoruns
- name: WEC5-Certificate-Authority
- name: WEC5-Crypto-API
- name: WEC5-Log-Deletion-Security
- name: WEC5-Log-Deletion-System
- name: WEC5-MSI-Packages
- name: WEC5-Operating-System
- name: WEC6-ADFS
- name: WEC6-Device-Guard
- name: WEC6-Duo-Security
- name: WEC6-Exploit-Guard
- name: WEC6-Microsoft-Office
- name: WEC6-Software-Restriction-Policies
- name: WEC6-Sysmon
- name: WEC7-Active-Directory
- name: WEC7-Privilege-Use
- name: WEC7-Terminal-Services
#-------------------- Logstash output -------------------
#output.logstash:
# The Logstash hosts
# hosts: ["10.10.98.20:5044"]
#----------------------------- Kafka output --------------------------------
output.kafka:
# initial brokers for reading cluster metadata
# Place your HELK IP(s) here (keep the port).
# If you only have one Kafka instance (default for HELK) then remove the 2nd IP that has port 9093
hosts: ["10.10.98.20:9092"]
topic: "winlogbeat"
############################# HELK Optimizing Latency ######################
max_retries: 2
max_message_bytes: 1000000