My logstash debug message is,
Oct 12 11:10:16 localhost.localdomain logstash[17086]: [2018-10-12T11:10:16,683][DEBUG][org.logstash.beats.BeatsHandler] [local: 172.20.11.19:5044, remote: 172.20.11.16:51070] Received a new payload
Oct 12 11:10:16 localhost.localdomain logstash[17086]: [2018-10-12T11:10:16,683][DEBUG][org.logstash.beats.BeatsHandler] [local: 172.20.11.19:5044, remote: 172.20.11.16:51070] Sending a new message for the listener, sequence: 1
Oct 12 11:10:16 localhost.localdomain logstash[17086]: [2018-10-12T11:10:16,684][DEBUG][org.logstash.beats.BeatsHandler] 3a0abf13: batches pending: false
Oct 12 11:10:16 localhost.localdomain logstash[17086]: [2018-10-12T11:10:16,788][DEBUG][logstash.pipeline ] filter received {"event"=>{"record_number"=>"11403578", "beat"=>{"hostname"=>"COMPANY-HO-DC1", "name"=>"COMPANY-HO-DC1", "version"=>"6.4.2"}, "message"=>"An account was logged off.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tCOMPANY-HO-DC1$\n\tAccount Domain:\t\tCOMPANY\n\tLogon ID:\t\t0x23277f0\n\nLogon Type:\t\t\t3\n\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.", "type"=>"wineventlog", "log_name"=>"Security", "host"=>{"name"=>"COMPANY-HO-DC1"}, "computer_name"=>"COMPANY-HO-DC1.COMPANY.com", "process_id"=>464, "keywords"=>["Audit Success"], "@version"=>"1", "@timestamp"=>2018-10-12T05:35:23.425Z, "level"=>"Information", "thread_id"=>2764, "event_data"=>{"TargetUserName"=>"COMPANY-HO-DC1$", "LogonType"=>"3", "TargetDomainName"=>"COMPANY", "TargetLogonId"=>"0x23277f0", "TargetUserSid"=>"S-1-5-18"}, "provider_guid"=>"{54849625-5478-4994-A5BA-3E3B0328C30D}", "opcode"=>"Info", "task"=>"Logoff", "tags"=>["beats_input_codec_plain_applied"], "source_name"=>"Microsoft-Windows-Security-Auditing", "event_id"=>4634}}
Oct 12 11:10:16 localhost.localdomain logstash[17086]: [2018-10-12T11:10:16,791][DEBUG][logstash.filters.grok ] Running grok filter {:event=>#<LogStash::Event:0x6ebdf3cd>}
Oct 12 11:10:16 localhost.localdomain logstash[17086]: [2018-10-12T11:10:16,791][DEBUG][logstash.filters.grok ] Event now: {:event=>#<LogStash::Event:0x6ebdf3cd>}
Oct 12 11:10:16 localhost.localdomain logstash[17086]: [2018-10-12T11:10:16,791][DEBUG][logstash.pipeline ] output received {"event"=>{"record_number"=>"11403578", "beat"=>{"hostname"=>"Company-HO-DC1", "name"=>"COMPANY-HO-DC1", "version"=>"6.4.2"}, "message"=>"An account was logged off.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tCOMPANY-HO-DC1$\n\tAccount Domain:\t\tCOMPANY\n\tLogon ID:\t\t0x23277f0\n\nLogon Type:\t\t\t3\n\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.", "type"=>"wineventlog", "log_name"=>"Security", "host"=>{"name"=>"Company-HO-DC1"}, "computer_name"=>"Company-HO-DC1.Company.com", "process_id"=>464, "keywords"=>["Audit Success"], "@version"=>"1", "@timestamp"=>2018-10-12T05:35:23.425Z, "level"=>"Information", "thread_id"=>2764, "event_data"=>{"TargetUserName"=>"COMPANY-HO-DC1$", "LogonType"=>"3", "TargetDomainName"=>"COMPANY", "TargetLogonId"=>"0x23277f0", "TargetUserSid"=>"S-1-5-18"}, "provider_guid"=>"{54849625-5478-4994-A5BA-3E3B0328C30D}", "opcode"=>"Info", "task"=>"Logoff", "tags"=>["beats_input_codec_plain_applied", "_grokparsefailure"], "source_name"=>"Microsoft-Windows-Security-Auditing", "event_id"=>4634}}
I am receiving logs from windows server.
My logstash conf file is,
input {
beats {
port => 5044
}
}
filter {
grok {
match => { "event_id" => "1149" }
add_tag => ["warning"]
}
}
output {
if "warning" in [tags] {
email {
to => "its@company.com"
address => "smtp.gmail.com"
port => "587"
via => "smtp"
use_tls => "true"
username => "it.support@company.com"
password => ""
from => "it.support@company.com"
subject => "critical event spotted by ELK from : %{host}, %{TIMESTAMP_ISO8601:timestamp}, EventID = %{event_id}"
body => "%{message}"
}
}
elasticsearch {
hosts => ["172.30.11.19:9200"]
sniffing => true
manage_template => true
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}
I am filtering event id and sending email alerts when certain event id matched. I want to add the timestamp to the email. How do i convert "@timestamp"=>2018-10-12T05:35:23.425Z,
to normal date and time?