-
Notifications
You must be signed in to change notification settings - Fork 55
/
autorun.conf
37 lines (33 loc) · 1.09 KB
/
autorun.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
# Author: Justin Henderson
# Email: jhenderson@tekrefresh.comes
# Last Update: 11/18/2015
#
# This conf file is based on accepting logs for autorunsc that are in tab delimited format
# The command ran to generate these logs is : NEED_TO_ADD_COMMAND
input {
tcp {
port => 5001
type => "autorun"
}
}
filter {
if [type] == "autorun" {
# This is the initial parsing of the log
grok {
match => { "message" => "%{DATA:Time}\t%{DATA:EntryLocation}\t%{DATA:Entry}\t%{DATA:Enabled}\t%{DATA:Category}\t%{DATA:Profile}\t%{DATA:Description}\t%{DATA:Publisher}\t%{DATA:ImagePath}\t%{DATA:Version}\t%{DATA:LaunchString}\t%{DATA:MD5}\t%{DATA:SHA1}\t%{DATA:PESHA1}\t%{DATA:PESHA256}\t%{GREEDYDATA:IMP}"}
}
# Drop the message field as it is not very readable and unneccessary
mutate {
remove_field => [ "message"]
}
}
}
output {
if [type] == "autorun" {
elasticsearch {
# Because of the amount of data and the data usage of this type of log I prefer it in a different index.
# If you do not want this then comment out the index field below
index => "autorun-%{+YYYY.MM.dd}"
}
}
}