Event Data field not created in Kibana

Sketchy · October 16, 2018, 2:20pm

I am using filesystem auditing and logging event 4656.

Is there a way I can have beats create a field for "Accesses" from the data below? All other fields get created except for Accesses.

I want beats to only pickup logs that have DELETE in the Accesses field.
Why doesn't a field get automatically created called Accesses in Kibana?

Object:
Object Server: Security
Object Type: File
Object Name: Z:\Test1.txt
Handle ID: 0xba0
Resource Attributes: -

Process Information:
Process ID: 0x4f0
Process Name: C:\Windows\explorer.exe

Access Request Information:
Transaction ID: {00000000-0000-0000-0000-000000000000}
Accesses: DELETE

system · November 13, 2018, 2:24pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Kibana : field event_id not available in bucket (from winlogbeat) Kibana	2	808	May 18, 2020
Kibana Customized filters Kibana	4	1230	July 6, 2017
Filebeat - Created new module, don't see new module fields in Kibana Beats	1	451	October 5, 2017
Disable field "count" in filebeat output Beats filebeat	3	1227	July 5, 2017
No data in Auditbeat events when using include_fields processor Beats auditbeat	5	1037	November 4, 2022