Different field syntaxes between winlogbeat and logstash (fingerprint plugin)

JeanN · May 28, 2020, 2:13pm

Hello,

I want to compare the fingerprint of Logstash and Winlogbeat of the same field.
But when i provide the "field" setting from winlogbeat and after i provide the same field on the "source" setting from logstash, those fingerprint are different or there is no fingerprint from one of them (Winlogbeat or Logstash).
I give you an example to clarify my problem:

I want to get the fingerprint of "event.original"

Winlogbeat configuration:

output.logstash:
  hosts: ["192.168.1.1:5044"]

processors:
  - fingerprint:
      fields: ["event.original"]
      method: sha256

Logstash configuration:

input{
  beats {
    port => 5044
  }
}

filter {
  fingerprint {
    source => ["event.original"]
    method => "SHA256"
    target => "fingerprint-check"
  }
}

output {
 elasticsearch {
    hosts => ["https://localhost:9200"]
    index => "%{[@metadata][beat]}-%{[@metadata][version]}"
    user => "user"
    password => "password"
    ssl => true
    ssl_certificate_verification => false
    cacert => '/etc/logstash/ssl/elasticsearch-ca.pem'
  }
}

On the Kibana Dashboards the "fingerprint-check" (fingerprint from logstash) doesn't appear while the one from winlogbeat appears on Kibana logs.

I am wondering if there is a difference between syntaxes of winlogbeat field and logstash source (that are supposed to be the same ?) .

Badger · May 28, 2020, 4:24pm

If event is an object that contains a field called original then in logstash that would be called [event][original], not [event.original], which in logstash refers to a field with a . in its name.

JeanN · June 2, 2020, 1:08pm

Thanks for your answer @Badger.

When i use this syntax "[event][original]" in the fingerprint module from logstash like this:

filter {
  fingerprint {
    source => [event][original]
    method => "SHA256"
    target => "fingerprint-check"
  }
}

Any "fingerprint-check" appears on Kibana, but when i use it as a new fields with "'add_fields" module in the same filter of fingerprint and i put this new field in fingerprint's module:

filter {
  add_fields {
    "event_field" => "%{[event][original]}"
  }
  fingerprint {
    source => [event][original]
    method => "SHA256"
    target => "fingerprint-check"
  }
}

On Kibana Dashboards the new field "event_field" is exactly the same of "event.original" field from winlogbeat. But the "fingerprint-check (from logstash) doesn't appear.

I don't understand why the fingerprint module of logstash doesn't work on this field.

Thanks.

system · June 30, 2020, 1:08pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.