Delete explanation in message field

herrBez · August 23, 2019, 3:16pm

Hi There,

I am importing logs with winlogbeat 7.3.0. All works fine

However, some of the events I am collecting contains sometimes an explanation inside a message, e.g., 4679

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4769

which I do not need (is redundant and always the same for all the events of the same class) and occupy space in the shards.

I am wondering if it is possible to delete the explanation from "This event" to the end of the line through a processor, or if it is better to deal with the problem from the EventViewer itself.

Let me know if the question is off topic.

Thank you,
Mirko

herrBez · August 30, 2019, 6:54am

I wrote a winlogbeat "script" processor that keeps the portion of message that matches a given pattern.

system · September 27, 2019, 6:54am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Removing "winlog" prefix in winlogbeat Beats winlogbeat	1	532	August 20, 2020
How to add a field with description for a specific Windows Event ID? Beats winlogbeat	6	555	April 28, 2021
How can I skip recording an event with these conditions Beats winlogbeat	2	338	May 15, 2021
Filter out Windows proccesses Beats winlogbeat	2	352	June 6, 2019
Winlogbeat filtering problem Beats winlogbeat	3	337	October 12, 2020

Delete explanation in message field

Related topics