Is there a way that I can append data or field in winlog?
Let's say I have a csv file which consists of 5 data. Can I append this everytime windows logs are sent thru beats?
TIA
Is there a way that I can append data or field in winlog?
Let's say I have a csv file which consists of 5 data. Can I append this everytime windows logs are sent thru beats?
TIA
It is possible to add tags or a new field. Docs here.
Thank you for your response @Oozza.
Yes, I already saw this but how can I get data from the external file like text file or csv?
Seems that I really need to pre-configure the field.
hmmm. Let's say I want to include the computername, the some user details and some info which you can find in csv. How can i able to include this info on winlogevents?
I think winlogbeat won't do it for you. You will probably need to find some workaround or make a new beat.
Yes, probably i need to find another log forwarder of windows events.
You can reference environment variables from the config, but you would need some way to inject the data from the file into environment variable of the service which doesn't seem simple.
If you are able to do some development you could create a custom processor to enrich events with data from a file. We have some similar processors that enrich events with metadata coming from other sources like docker. You could create one that reads a JSON file and adds those fields to outgoing events. Something like
processors:
- add_json_metadata:
file: 'C:/host_metadata.json'
target: beat.meta
Thank you for your reply @andrewkroh. I'll gonna try that
And BTW you don't need to fork beats to implement this. You can build your own winlogbeat binary by having a minimalistic main package that registers your custom processor.
package main
import (
"os"
"github.com/elastic/beats/winlogbeat/cmd"
// Register custom processors.
_ "github.com/jogoinar/beats-json-metadata"
)
func main() {
if err := cmd.RootCmd.Execute(); err != nil {
os.Exit(1)
}
}
hmmm.. thanks for your input @andrewkroh.. but I'm new to beats and i don't know where to put this? I'll include this on the config file? Is this how to make a custom processor? Thanks again.
This task of adding a custom processor to read data from a JSON file requires some software development work. It requires you to build a customized version of Winlogbeat. The developer guide is helpful to show how to build a beat, but it doesn't go into processors (for that use the existing ones as a guide).
If you aren't up for development then please open an enhancement request for a new "add_json_metadata" processor in the project's repo on Github.
Thank you @andrewkroh. I'll check this one
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.