Good afternoon Elastic team,
I am sending Sysmon logs to my ELK stack with Winlogbeat 5.2.1 and all of them have the "event_data" string in the field names. For example:
event_data.CommandLine should be only CommandLine
How can I make those changes on the client (winlogbeat) instead of configuring a Logstash filter?
Thank you
You need to use Logstash or Ingest Node if you want to rename fields. It cannot be done in Beats.
Why do you want to rename them?
Thank you very much. Thats what I read too. It cannot be done at the Host level (Winlogbeat). The reason why I want to rename them is because the data field names are too long, and I was not sure if others were trying to rename them or working like that by default. Sorry this is my first time working with Winlogbeat and ELK.
Too long for what?
I think most people use them as is. I can see a case for some renames or copies if you want a common field name for certain types of data across your org.
1- Too long for visualizations. As you can see below. The data field name such as:
event_data.DestinationIP.Keyword is too long and plus the word "Descending", pushes the column name "count" to the right. So my visualization needs to be a certain size to accommodate the columns I want to show. If I reduce its size, I dont see the "Count column"
2- Too long to type queries manually. lets say i want to create chains of events to know processes calling out to a specific external IP address via a specific port name:
event_data.Image: "C:\bla\bla\bla.exe AND event_data.DestinationIP: "x.x.x.x" AND event_data.DestinationPortName: "https"
it could be:
image: C:\bla\bla\bla.exe AND DestinationIP: "x.x.x.x" AND DestinationPortName: "https"
Thats it. If most people are using them as is, then I will just using the data fields like that. I just wasnt sure if the "event_data" part added to the original data field name was something that I needed to split or take out to clean how the data fields are presented. Once again, I am new to Winlogbeat sending the logs. I used nxlog in the past and the logs are sent and named the way how they are presented in the raw log. For example, the log showed below will keep the same data field names without adding "event_data".
however, according to what you posted before, thats the way how Winlogbeat tags events so that we dont have to use Grok to parse logs properly
Kibana allows a custom name to be used. So you can use anything you like for the column header.
I can't help with that. The reason the fields are namespaced under event_data is to provide context about where the data came from. Also since the fields can be named anything by the developer of the application that logged the event, the name could collide with other fields used by the Beat and this namespacing prevents it.
Thank you very much Andrew. I didnt think of the Custom Labels. That will make it so much easier. Problem Solved then. 
Have a good rest of the week!
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
