我成功获取了另一个带有filebeat的Ubuntu服务器的日志。我在Windows 7旗舰版32位上安装了winlogbeat。起初,这两台机器运行良好,但十分钟后我看不到Windows日志。
我关闭了其他Ubuntu服务器并检查了winlogbeat日志,我意识到winlogbeat上发布事件的时间与timestamp字段不匹配。
我可以收到日志,但我必须将kibana计时器更改为“过去2小时”。
Winlogbeat日志:
2016-11-08T16:36:54+01:00 DBG Publish: {
"@timestamp": "2016-11-08T15:36:52.492Z",
"beat": {
"hostname": "Admin-PC",
"name": "Admin-PC",
"version": "5.0.0"
},
"computer_name": "Admin-PC",
"event_data": {
"PrivilegeList": "SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege",
"SubjectDomainName": "NT AUTHORITY",
"SubjectLogonId": "0x3e7",
"SubjectUserName": "SYSTEM",
"SubjectUserSid": "S-1-5-18"
},
"event_id": 4672,
"keywords": [
"Auditoría correcta"
],
"level": "Información",
"log_name": "Security",
"message": "Se asignaron privilegios especiales a un nuevo inicio de sesión.\n\nSujeto:\n\tId. de seguridad:\t\tS-1-5-18\n\tNombre de cuenta:\t\tSYSTEM\n\tDominio de cuenta:\t\tNT AUTHORITY\n\tId. de inicio de sesión:\t\t0x3e7\n\nPrivilegios:\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege",
"opcode": "Información",
"process_id": 480,
"provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"record_number": "611",
"source_name": "Microsoft-Windows-Security-Auditing",
"task": "Inicio de sesión especial",
"thread_id": 528,
"type": "wineventlog"
}
我在Ubuntu上有ELK(Logstash v2.3.4,ElasticSearch v1.7.3和Kibana v4.1.2)。