Additional field for winlogbeat


(Jonar B) #1

Is there a way that I can append data or field in winlog?

Let's say I have a csv file which consists of 5 data. Can I append this everytime windows logs are sent thru beats?

TIA


#2

It is possible to add tags or a new field. Docs here.


(Jonar B) #3

Thank you for your response @Oozza.

Yes, I already saw this but how can I get data from the external file like text file or csv?
Seems that I really need to pre-configure the field.

hmmm. Let's say I want to include the computername, the some user details and some info which you can find in csv. How can i able to include this info on winlogevents?


#4

I think winlogbeat won't do it for you. You will probably need to find some workaround or make a new beat.


(Jonar B) #5

Yes, probably i need to find another log forwarder of windows events.


(Andrew Kroh) #6

You can reference environment variables from the config, but you would need some way to inject the data from the file into environment variable of the service which doesn't seem simple.

If you are able to do some development you could create a custom processor to enrich events with data from a file. We have some similar processors that enrich events with metadata coming from other sources like docker. You could create one that reads a JSON file and adds those fields to outgoing events. Something like

processors:
- add_json_metadata:
    file: 'C:/host_metadata.json'
    target: beat.meta

(Jonar B) #7

Thank you for your reply @andrewkroh. I'll gonna try that :slight_smile:


(Andrew Kroh) #8

And BTW you don't need to fork beats to implement this. You can build your own winlogbeat binary by having a minimalistic main package that registers your custom processor.

package main

import (
	"os"

	"github.com/elastic/beats/winlogbeat/cmd"

	// Register custom processors.
	_ "github.com/jogoinar/beats-json-metadata"
)

func main() {
	if err := cmd.RootCmd.Execute(); err != nil {
		os.Exit(1)
	}
}

(Jonar B) #9

hmmm.. thanks for your input @andrewkroh.. but I'm new to beats and i don't know where to put this? I'll include this on the config file? Is this how to make a custom processor? Thanks again. :+1:


(Andrew Kroh) #10

This task of adding a custom processor to read data from a JSON file requires some software development work. It requires you to build a customized version of Winlogbeat. The developer guide is helpful to show how to build a beat, but it doesn't go into processors (for that use the existing ones as a guide).

If you aren't up for development then please open an enhancement request for a new "add_json_metadata" processor in the project's repo on Github.


(Jonar B) #11

Thank you @andrewkroh. I'll check this one


(system) #12

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.