Hello Community,
i'm still pretty new to Elastic-Stack.
I got a Cluster of 1 Master and 2 Nodes set up, and already got all my Beat-Agents deployed on the servers. Now i set up beat nodes on my Cluster aswell, to monitor any activity on it aswell (I use elk as a Security Setup). My Problem is that the fields which are filtered now are rudimentary.
The field "message" holds a few informations i actually want to filter by. How do i get my ES to put certain values in new fields? I found the fields.yml file, but i'm not sure how to use it, just write stuff somewhere? In which Syntax? Do i have to watch out for something?
Information in the message field looks like :
type=CRYPTO_KEY_USER msg=audit(1111111111.111:1111111): pid=111111 uid=0 auid=1111111111 ses=111111111 subj=system:
Let's say in this example i want the Information
type=CRYPTO_KEY_USER
seperated into an extra field, by which i can Filter in Kibana
Thanks in advance!
Mo