Add field in logstash of Winlogbeats input

Hello there !

I have the following Winlogbeat ouput in Logstash :

{
           "ecs" => {
        "version" => "1.4.0"
    },
           "log" => {
        "level" => "information"
    },
      "@version" => "1",
         "event" => {
         "created" => "2020-04-06T09:50:11.918Z",
        "provider" => "Microsoft-Windows-Security-Auditing",
            "kind" => "event",
          "action" => "Logon",
            "code" => 4625
    },
       "message" => "An account failed to log on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWINSRV$\n\tAccount Domain:\t\tDEV\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t7\n\nAccount For Which Logon Failed:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tnets_srv\n\tAccount Domain:\t\tDEV\n\nFailure Information:\n\tFailure Reason:\t\tUnknown user name or bad password.\n\tStatus:\t\t\t0xC000006D\n\tSub Status:\t\t0xC000006A\n\nProcess Information:\n\tCaller Process ID:\t0x158\n\tCaller Process Name:\tC:\\Windows\\System32\\winlogon.exe\n\nNetwork Information:\n\tWorkstation Name:\tWINSRV\n\tSource Network Address:\t127.0.0.1\n\tSource Port:\t\t0\n\nDetailed Authentication Information:\n\tLogon Process:\t\tUser32 \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\n\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\n\nThe Process Information fields indicate which account and process on the system requested the logon.\n\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.",
          "type" => "kafka",
    "@timestamp" => 2020-04-06T09:49:43.872Z,
         "agent" => {
            "hostname" => "W2012-COLLECTOR",
                "type" => "winlogbeat",
        "ephemeral_id" => "1fa2a64f-dc3c-410c-aca7-6b14aa0145b3",
             "version" => "7.6.1",
                  "id" => "06be6de9-4781-4bf5-9ba6-20705d2de775"
    },
        "winlog" => {
           "event_data" => {
                       "SubjectUserSid" => "S-1-5-18",
                      "WorkstationName" => "WINSRV",
                        "TargetUserSid" => "S-1-0-0",
                     "TargetDomainName" => "DEV",
                            "ProcessId" => "0x158",
                          "ProcessName" => "C:\\Windows\\System32\\winlogon.exe",
            "AuthenticationPackageName" => "Negotiate",
                            "IpAddress" => "127.0.0.1",
                     "LogonProcessName" => "User32 ",
                            "LogonType" => "7",
                       "SubjectLogonId" => "0x3e7",
                       "TargetUserName" => "nets_srv",
                    "SubjectDomainName" => "DEV",
                  "TransmittedServices" => "-",
                        "LmPackageName" => "-",
                      "SubjectUserName" => "WINSRV$",
                            "KeyLength" => "0",
                               "IpPort" => "0",
                            "SubStatus" => "0xc000006a",
                               "Status" => "0xc000006d",
                        "FailureReason" => "%%2313"
        },
                  "api" => "wineventlog",
        "provider_name" => "Microsoft-Windows-Security-Auditing",
             "event_id" => 4625,
                 "task" => "Logon",
        "provider_guid" => "{54849625-5478-4994-A5BA-3E3B0328C30D}",
               "opcode" => "Info",
              "channel" => "Security",
              "process" => {
            "thread" => {
                "id" => 3012
            },
               "pid" => 504
        },
        "computer_name" => "WINSRV.DEV.LOCAL",
             "keywords" => [
            [0] "Audit Failure"
        ],
            "record_id" => 4547
    },
          "host" => {
            "hostname" => "W2012-COLLECTOR",
        "architecture" => "x86_64",
                  "id" => "93ff0365-54bb-474b-bd46-e30c717d86a7",
                  "os" => {
             "version" => "6.3",
                "name" => "Windows Server 2012 R2 Standard Evaluation",
               "build" => "9600.0",
              "kernel" => "6.3.9600.17031 (winblue_gdr.140221-1952)",
              "family" => "windows",
            "platform" => "windows"
        },
                "name" => "WINSRV.DEV.LOCAL"
    }
}

I would like to add a field if code = 4625

Tried this :

filter {
if [code] == 4625 {
mutate {
add_field => [ "TEST", "OK" ]
}
}
}

But it doesn' works. Tried also with event.code == 4625 but no match also

Any idea why my filter doesn't catch the field ?

Thanks !

Your event does not have a [code] field, it has an [event][code] field.

Hello @Badger

Tried also with event.code but no match too

If event is an object that contains a field called code then in logstash that is referred to as [event][code], not event.code.

Oh...ok !! Didn't notice to think to it as an object

It's working now. Thanks a lot @Badger :hugs:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.