Hello guys,
I´m new to ELK stack and trying to add custom field to kibana using the filter in logstash. Can someone point me to right direction??
I want to add the field "Logon Activity" like "message" showing in the picture bellow:
filter {
if [agent][type] == "winlogbeat" and [winlog][channel] == "Security" and [event_id] == 4624 or [event_id] == 4634 {
mutate {
remove_field => ["[message]"]
add_field => { "short_message" => "Logon Activity" }
}
}
}
Thanks,
Would you be happy with just replacing the value of message e.g.
mutate {
replace => [ "message", "Logon Activity" ]
}
If you have already added the change you outlined in your post, you will probably need to refresh the field mappings in Kibana.
What I´ve done so far and it seens to work was:
filter {
if "winlogbeat" in [tags] and [winlog][channel] == "Security" and [winlog][event_id] == 4624 or [winlog][event_id] == 4634 {
mutate {
remove_field => ["[message]"]
add_field => { "ADLogon" => "Logon Activity" }
}
}
}
Had to specify the [winlog] at [event_id] as the code below shows:
"winlog" => {
"opcode" => "Info",
"computer_name" => "demo.local",
"task" => "Process Creation",
"keywords" => [
[0] "Audit Success"
],
"record_id" => 8110800,
"provider_name" => "Microsoft-Windows-Security-Auditing",
"process" => {
"thread" => {
"id" => 20228
},
"pid" => 4
},
"api" => "wineventlog",
"channel" => "Security",
"version" => 2,
"event_id" => 4624,
}
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.