Beats not parsed

when using beats as input the data show constantly to the console and seems all scrambled, what can be the reason?

input {
beats {
port => 5044
}
}

filter {
if "beats_input_codec_plain_applied" in [tags] {
mutate {
remove_tag => ["beats_input_codec_plain_applied"]
}
}
}

output {
azure_loganalytics {
customer_id => "xxxxxx"
shared_key => "xxxxxx"
log_type => "Syslog"
time_generated_field => "iso8610timestamp"
key_names => ['cloud','message','winlog','instance','agent','host','tags']
key_types => {'cloud'=>'string' 'message'=>'string' 'winlog'=>'string' 'instance'=>'string' 'tags'=>'string' agent=>'string' host=>'string'}
flush_items => 10
flush_interval_time => 5
}
if "machine1" in [tags] {
azure_loganalytics {
customer_id => "xxxxxx"
shared_key => "xxxxxx"
log_type => "Syslog"
time_generated_field => "iso8610timestamp"
key_names => ['cloud','message','winlog','instance','agent','host','tags']
key_types => {'cloud'=>'string' 'message'=>'string' 'winlog'=>'string' 'instance'=>'string' 'tags'=>'string' agent=>'string' host=>'string'}
flush_items => 10
flush_interval_time => 5
}
}
else if "Machine2" in [tags]{
azure_loganalytics {
customer_id => "xxxxxx"
shared_key => "xxxxxx"
log_type => "Syslog"
time_generated_field => "iso8610timestamp"
key_names => ['cloud','message','instance','winlog','agent','host','tags']
key_types => {'cloud'=>'string' 'message'=>'string' 'winlog'=>'string' 'instance'=>'string' 'tags'=>'string' agent=>'string' host=>'string'}
flush_items => 10
flush_interval_time => 5

}
}
else {
azure_loganalytics {
customer_id => "xxxxxx"
shared_key => "xxxxxx"
log_type => "Syslog"
time_generated_field => "iso8610timestamp"
key_names => ['cloud','message','instance','winlog','agent','host','tags']
key_types => {'cloud'=>'string' 'message'=>'string' 'winlog'=>'string' 'instance'=>'string' 'tags'=>'string' agent=>'string' host=>'string'}
flush_items => 10
flush_interval_time => 5

}
}
}

example log file:
"instance":{"name":"Opwindows-machine","id":"5xxxxxxx"},"region":"westeurope","machine":{"type":"Standard_D2_v2"},"provider":"az"},"message":"The handle to an object was closed.\n\nSubjec
t :\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tDomain-WIN10-VM$\n\tAccount Domain:\t\tDomain\n\tLogon ID:\t\t0x3E7\n\nObject:\n\tObject Server:\t\tSecurity\n\tHandle ID:\t\t0x1d2c\n\nProc
ess Information:\n\tProcess ID:\t\t0x214\n\tProcess Name:\t\tC:\WindowsAzure\GuestAgent_2.7.41491.949_2019-12-11_215454\CollectGuestLogs.exe","winlog":{"keywords":["Audit Success"],"compu
ter_name":"Domain-Win10-VM.Domain.local","opcode":"Info","api":"wineventlog","event_id":4658,"process":{"pid":4,"thread":{"id":2672}},"channel":"Security","task":"File System","provider_guid":
"{xxxxxxxx}","record_id":421390702,"event_data":{"SubjectDomainName":"Domain","ProcessId":"0x214","ProcessName":"C:\WindowsAzure\GuestAgent_2.7.41491.949_2019-12
-11_215454\CollectGuestLogs.exe","HandleId":"0x1d2c","ObjectServer":"Security","SubjectUserName":"Domain-WIN10-VM$","SubjectLogonId":"0x3e7","SubjectUserSid":"S-1-5-18"},"provider_name":"Mic
rosoft-Windows-Security-Auditing"},"agent":{"hostname":"Domain-Win10-VM","id":"1f9a2496-2410-48bd-beba-927f4e21139c","type":"winlogbeat","version":"7.5.0","ephemeral_id":"06dc3765-4886-4af5-b
47b-8652742d0d9f"},"host":{"architecture":"x86_64","hostname":"Domain-Win10-VM","name":"Domain-Win10-VM","os":{"kernel":"10.0.18362.535 (WinBuild.160101.0800)","family":"windows","platform":"w
indows","name":"Windows 10 Pro","version":"10.0","build":"18362.535"},"id":"xxxxxxx"},"tags":},{"cloud":{"instance":{"name":"Domain-Domain-02","id":"ad1e311f-9f0
f-438f-b9fc-2463bd849185"},"region":"westeurope","machine":{"type":"Standard_DS2_v2"},"provider":"az"},"message":"A handle to an object was requested.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18
\n\tAccount Name:\t\tDomain-Domain-02$\n\tAccount Domain:\t\tDomain\n\tLogon ID:\t\t0x3E7\n\nObject:\n\tObject Server:\t\tSecurity\n\tObject Type:\t\tKey\n\tObject Name:\t\t\REGISTRY\USER\.D
EFAULT\n\tHandle ID:\t\t0x714\n\tResource Attributes:\t-\n\nProcess Information:\n\tProcess ID:\t\t0x11dc\n\tProcess Name:\t\tC:\Windows\System32\wbem\WmiPrvSE.exe\n\nAccess Request Info
rmation:\n\tTransaction ID:\t\t{00000000-0000-0000-0000-000000000000}\n\tAccesses:\t\tDELETE\n\t\t\t\tREAD_CONTROL\n\t\t\t\tWRITE_DAC\n\t\t\t\tWRITE_OWNER\n\t\t\t\tQuery key value\n\t\t\t\tS
et key value\n\t\t\t\tCreate sub-key\n\t\t\t\tEnumerate sub-keys\n\t\t\t\tNotify about changes to keys\n\t\t\t\tCreate Link\n\t\t\t\t\n\tAccess Reasons:\t\t-\n\tAccess Mask:\t\t0xF003F\n\tPr
ivileges Used for Access Check:\t-\n\tRestricted SID Count:\t0","winlog":{"keywords":["Audit Success"],"computer_name":"Domain-Domain-02.Domain.local","opcode":"Info","api":"wineventlog","proce
ss":{"pid":4,"thread":{"id":3308}},"event_id":4656,"task":"Registry","channel":"Security","provider_guid":"{xxxxxxxx}","record_id":xxxxxxxx,"version":1,"event_da
ta":{"AccessList":"%%1537\n\t\t\t\t%%1538\n\t\t\t\t%%1539\n\t\t\t\t%%1540\n\t\t\t\t%%4432\n\t\t\t\t%%4433\n\t\t\t\t%%4434\n\t\t\t\t%%4435\n\t\t\t\t%%4436\n\t\t\t\t%%4437\n\t\t\t\t","AccessRe
ason":"-","ResourceAttributes":"-","ObjectServer":"Security","HandleId":"0x714","ObjectType":"Key","RestrictedSidCount":"0","SubjectUserSid":"S-1-5-18","TransactionId":"{00000000-0000-0000-0
000-000000000000}","PrivilegeList":"-","SubjectDomainName":"Domain","ProcessId":"0x11dc","ProcessName":"C:\Windows\System32\wbem\WmiPrvSE.exe","SubjectUserName":"Domain-Domain-02$","AccessM
ask":"0xf003f","ObjectName":"\REGISTRY\USER\.DEFAULT","SubjectLogonId":"0x3e7"},"provider_name":"Microsoft-Windows-Security-Auditing"},"agent":{"hostname":"Domain-Domain-02","id":"f45cd3dd-
3afb-4d6d-9ed8-b82074876719","type":"winlogbeat","version":"7.5.0","ephemeral_id":"42ec19ba-6d1c-4dad-ba2b-d334107ef836"},"host":{"architecture":"x86_64","name":"Domain-Domain-02","hostname":"
Domain-Domain-02","os":{"kernel":"10.0.14393.3383

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.