Error translation event_id

NauGui · July 5, 2019, 11:29am

Hi,
I have a problem with one of my filter for event_id.
This one work perfectly :
filter {

        mutate {

          convert => {
                "event_id" => "string"
}
}
        translate {
 field => "event_id"
          dictionary => {
"4720" => "Compte créer"
"4722" => "Compte activé"
"4723" => "Utilisateur change mdp"
"4725" => "Compte désactivé"
"4724" => "Admin change mdp"
"4740" => "Compte vérouiller"
"4726" => "Compte supprimé"
"4738" => "Compte modifié"
"4767" => "Compte dévérouiller"
"4781" => "Nom changé"

"5156" => "Autorisation de connexion"
"4634" => "Déconnexion"
"4624" => "Succès Connexion"
"4625" => "Echec Connexion"
"4647" => "Initialise déconnexion"
"4778" => "Session RDP connexion"
"4779" => "Session RDP déconnexion"

"4768" => "Ticket Kerberos"
"4771" => "Kerberos failed"
"4820" => "Kerberos refuser(restriction)"
       }
        destination => "convert.event_id"
        override => "true"
}
}

But not this one :

filter {
translate {
field => "event_data.SubStatus"

dictionary => {
"0xc0000064" => "existe pas"
"0xc000006a" => "user name"
"0xc0000234" => "user"
"0xc0000072" => "account"
"0xc000006f" => "usertime"
"0xc0000070" => "workstation"
"0xc0000193" => "account expiration"
"0xc0000071" => "expired password"
"0xc0000133" => "clock sync error"
"0xc0000224" => "user is required"
"0xc0000225" => "evidently"
"0xc000015b" => "The user has"
"0x80090325" => "test"
}

        destination => "convert.event_data.SubStatus"
        override => "true"
}
}

I looked in /var/log/logstash but I don't find any error.

Badger · July 5, 2019, 3:17pm

If your field name contains a dot that is correct, but if the event_data object contains a SubStatus field then that should be [event_data][SubStatus].

NauGui · July 8, 2019, 6:34am

Thx it's solve my problem.

system · August 5, 2019, 6:34am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.