Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
2.7.0
Describe the issue:
hello,
i want to use sygma rule to inspect my windows domain controller. but index size is arround 30Go by day.
have you some advises or best practise to limit event to send to opensearch?
thanks
Configuration:
winlogbeat.event_logs:
-
name: Application
ignore_older: 10m -
name: System
ignore_older: 10m -
name: Security
ignore_older: 10m
processors:- script:
lang: javascript
id: security
file: ${path.home}/module/security/config/winlogbeat-security.js
- script:
-
name: Microsoft-Windows-Sysmon/Operational
ignore_older: 10m
processors:- script:
lang: javascript
id: sysmon
file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js
- script:
-
name: Windows PowerShell
ignore_older: 10m
event_id: 400, 403, 600, 800
processors:- script:
lang: javascript
id: powershell
file: ${path.home}/module/powershell/config/winlogbeat-powershell.js
- script:
-
name: Microsoft-Windows-PowerShell/Operational
ignore_older: 10m
event_id: 4103, 4104, 4105, 4106
processors:- script:
lang: javascript
id: powershell
file: ${path.home}/module/powershell/config/winlogbeat-powershell.js
- script:
-
name: ForwardedEvents
ignore_older: 10m
tags: [forwarded]
processors:- script:
when.equals.winlog.channel: Security
lang: javascript
id: security
file: ${path.home}/module/security/config/winlogbeat-security.js - script:
when.equals.winlog.channel: Microsoft-Windows-Sysmon/Operational
lang: javascript
id: sysmon
file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js - script:
when.equals.winlog.channel: Windows PowerShell
lang: javascript
id: powershell
file: ${path.home}/module/powershell/config/winlogbeat-powershell.js - script:
when.equals.winlog.channel: Microsoft-Windows-PowerShell/Operational
lang: javascript
id: powershell
file: ${path.home}/module/powershell/config/winlogbeat-powershell.js
- script: