Configure Beats to only see certain fields in Elasticsearch

_Thomas · February 3, 2022, 9:17am

Hi Guys,
first of all, I do apologize if this is something that had been answered in the past.

What I'm trying to achieve is the following - let's take the Winlogbeat as an example:
I'm only interested to see what type of Events have been triggered, as well as the Hostname who has triggered this, the Username, potentially the Message of this Event, ProcessName(s), Event-ID(s), Host-Ip plus Host-Mac and the Timestamp, when the Event was triggered.

If I however start to add the Event-IDs I'm interested in - using the below lines - I do also get informations such as Host-Plattform, OS-Type etc etc (so all of the stuff I don't want to see).

winlogbeat.event_logs:
  # - name: System
  - name: Security
    event_id: 4624, 4625, 4656, 4670, 4672, 4688

Is there any way of basically configuring the output to only show those bits mentioned above? If so, how and where do i do this? Is it in the Logstash config file where I have to add this?

Sorry for those questions - I'm still a newby and I haven't found an answer to this here - I might have not searched properly.

MarianaD · February 3, 2022, 9:45am

hi @_Thomas , you can use the drop_fields processor to drop specific fields, more on this here Drop fields from events | Winlogbeat Reference [master] | Elastic

_Thomas · February 3, 2022, 9:55am

@MarianaD ohhh that's awesome - thank you.

I assume this is the correct way of using this option:

processors:
    - drop_fields:
      when:
        has_fields:
      fields: ["agent.ephemeral_id", "agent.hostname", ...]
      ignore_missing: false

EDIT:
Am I not allowed to write the drop_fields like this:

processors:
  #- add_host_metadata:
      #when.not.contains.tags: forwarded
  #- add_cloud_metadata: ~
    - drop_fields:
when:
        has_fields:
      fields: ['agent.ephemeral_id', 'agent.id', 'agent.name', 'agent.type', 'agent.version', 'ecs.version', 'event.action', 'event.code', 'event.kind', 'event.outcome', 'event.provider', 'host.architecture', 'host.id', 'host.name', 'host.os.build', 'host.os.family', 'host.os.kernel', 'host.os.name', 'host.os.platform', 'host.os.type', 'host.os.version', 'log.level', 'winlog.activity_id', 'winlog.api', 'winlog.channel', 'winlog.computer_name', 'winlog.event_data.AuthenticationPackageName', 'winlog.event_data.ElevatedToken', 'winlog.event_data.ImpersonationLevel', 'winlog.event_data.IpAddress', 'winlog.event_data.IpPort', 'winlog.event_data.IpKeyLength', 'winlog.event_data.LmPackageName', 'winlog.event_data.LogonGUID', 'winlog.event_data.LogonProcessName', 'winlog.event_data.LogonType', 'winlog.event_data.ProcessId', 'winlog.event_data.RestrictedAdminMode', 'winlog.event_data.SubjectDomainName', 'winlog.event_data.SubjectLogonId', 'winlog.event_data.SubjectUserName', 'winlog.event_data.SubjectUserSid', 'winlog.event_data.TargetDomainName', 'winlog.event_data.TargetLinkedLogonId', 'winlog.event_data.TargetOutboundDomainName', 'winlog.event_data.TargetOutboundUserName', 'winlog.event_data.TargetUserName', 'winlog.event_data.TargetUserSid', 'winlog.event_data.TransmittedServices', 'winlog.event_data.VirtualAccount', 'winlog.opcode', 'winlog.process.threat.id', 'winlog.provider_guid', 'winlog.provider_name', 'winlog.task', 'winlog.version']
      ignore_missing: false

Because I get this Error Message:
Exiting: error loading config file: yaml: line 131: did not find expected key

Line 131 is basically where the "has_fields" command starts

EDIT 2:
Exiting: error initializing processors: each processor must have exactly one action, but found 3 actions (fields,ignore_missing,drop_fields)

system · March 3, 2022, 11:55am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.