Thanks Pedro,
I just updated my configuration.
I share my filter block here in case someone read this topic and want
complete guide.
filter {
if [type] == "wazuh-alerts" {
geoip {
source => "srcip"
target => "GeoLocation"
}
date {
match => ["timestamp", "ISO8601"]
target => "@timestamp"
}
mutate
{
gsub => ["accesses", "%%1537", "Delete"]
gsub => ["accesses", "%%1538", "ReadControl"]
gsub => ["accesses", "%%1539", "ReadControl"]
gsub => ["accesses", "%%1540", "ReadControl"]
gsub => ["accesses", "%%1541", "Synchronize"]
gsub => ["accesses", "%%1542", "Synchronize"]
gsub => ["accesses", "%%4416", "ReadData"]
gsub => ["accesses", "%%4417", "WriteData"]
gsub => ["accesses", "%%4418", "AppendData"]
gsub => ["accesses", "%%4419", "ReadEA"]
gsub => ["accesses", "%%4420", "WriteEA"]
gsub => ["accesses", "%%4423", "ReadAttrib"]
gsub => ["accesses", "%%4424", "WriteAttrib"]
gsub => ["accesses", "%%1801", "Granted"]
gsub => ["accesses", "%%1805", "NotGranted"]
remove_field => [ "timestamp", "beat", "fields", "input_type",
"tags", "count" ]
}
}
}
Thanks you
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
