Goodmorning everyone,
I am trying to use for the firts time the elasticsearch filter plugin for logstash.
I am trying to searching the login event whenever you the log off event and enrich the log off event with necessary information from login event.
the event id is the field [winlog][event_data][TargetLoginId] and is shared between logon and logoff events.
the configuration starts, but it doesn't copy the selected fields.
if "dc" in [tags] {
if [winlog][event_id] == 4634 or [event][code] == 4647 {
elasticsearch {
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
hosts => ["http://localhost:9200"]
user => elastic
password => changeme
query => "legittima:yes AND [winlog][event_data][TargetLoginId]:%{[winlog][event_data][TargetLoginId]}"
fields => {
"[winlog][event_data][ElevatedToken]" => "elevated_token"
"@timestamp" => "LoginTime"
}
}
the match is: query => "legittima:yes AND [winlog][event_data][TargetLoginId]:%{[winlog][event_data][TargetLoginId]}"
if the field is set to yes, and the [winlog][event_data][TargetLoginId] is the same of the current one, copy the fields.
thanks