Windows eventlog are not visible in kibana

joschi99 / Osiris

Osiris NMS

0 stars 1 forks source link

Windows eventlog are not visible in kibana #19

Closed joschi99 closed 9 years ago

joschi99 commented 9 years ago

The customer Kaufgut are not able to find the logs from the Windows Event Log in Kibana. The logs are send to Osiris2.1 and the are on the samba share, but in Elasticsearch the logs are not present.

Systems:

Osiris 2.1
RSyslog 8.13.0
Elasticsearch 1.7.x
Snare 4.0.2 for Windows

joschi99 commented 9 years ago

The problem is that the log are send from snare in a non standard syslog format. The logs are present on Elasticsearch, but they don't have a correct mapping with the index. For this issue the search in Kibana does'nt work.

joschi99 commented 9 years ago

Implemented in Osiris2.1 on customer Kaufgut the nxlog -> Logstash -> elastic -> kibana enhancements from Osiris2.2 development.

upgrade logstash 1.5.5
logstash configuration 10-win_evt.conf
replace Snare agent with nxlog agent on windows server
install Kibana windows eventlog dashboards

Solution implemented without problems. Verified by customer.