Can not add a new field using if filter and add_field

brapnda23 · June 29, 2020, 2:39pm

Newbie here. Trying to add another field but not working. I have added below set of codes to a .conf file under /etc/conf.d. Logs for logstash not showing any error. Am I doing something wrong here? Using the new 7.8 version. Through winlogbeat.yml I am already injecting "winlogbeat" to the tags. Right now my tags look like -
winlogbeat, ActiveDirectory, beats_input_codec_plain_applied

filter {
if "winlogbeat" in [tags] and [event_id] == 4624 {
mutate {
add_field => { "messagemy" => "An account was successfully logged on" }
}
}
}

chandu5565 · June 29, 2020, 2:44pm

If you are using and operator both the conditions has to be true. use below filter it should work.

filter {
if "winlogbeat" in [tags] and "4624" in [event_id] {
mutate {
add_field => { "messagemy" => "An account was successfully logged on" }
}
}
}

brapnda23 · June 29, 2020, 3:10pm

Just updated to suggested filter, didn't work.

End goal is to have that 1st line of the message filed as a new field. Even if I make this work, I have to maintain individual filters for all event IDs. Is there a better way to extract the 1st like from the message field.

Badger · June 29, 2020, 3:33pm

Is event_id nested inside an object, such as [winlog][event_id], for example.

brapnda23 · June 29, 2020, 3:45pm

If I expand the document, it shows as winlog.event_id. Here is the screenshot.

windows event id table

Badger · June 29, 2020, 4:24pm

If event_id is a field nested inside the winlog object then although in kibana you would refer to it as winlog.event_id, in logstash you have to refer to it as [winlog][event_id]

system · July 27, 2020, 4:24pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.