We send log data to Logstash through Winlogbeat, and we add a field to the data.
fields:
campus: mu
We want the Logstash filter to add the field “campus” and set the value to null or unknown if the field does not exist. Doing so would be helpfull if the winlogbeat.yml file is incorrect on a system.
Does anyone have any suggestions on how to do so?
Our current Logstash filter is:
filter {
if [event_id] == 4624 or [event_id] == 4625 or [event_id] == 4648 or [event_id] == 4688 {
truncate {
id => "truncate_long"
fields => "message"
length_bytes => 200
}
}
}
We tried this, but it did not work.
filter {
if [event_id] == 4624 or [event_id] == 4625 or [event_id] == 4648 or [event_id] == 4688 {
truncate {
id => "truncate_long"
fields => "message"
length_bytes => 200
}
}
if ![fields][campus] {
mutate { add_field => { "fields.campus" => "unk" } }
}
}