Event_data.param# instead of the correct fields


On kibana when I forwarded the logs I don't see like message id or message fields and a parsed fields, I just see this event_data.param.

How can I send in the proper format?

This is the raw json.

Our flow loks like this:

Client -> Indexerserver -> elastic search -> kibana

Should be the messages sent by default in this format or the indexer server should parse it?

Please read my response in Generically named event_data.paramN on Windows XP and 2003. I think it explains what you are seeing.

Hmm, strange because this servers are windows 2012 servers not vista or older things.
So it means we have to parse it on the logstash server?

It's not the operating system causing the issue, it's the application and the means by which it writes to the log.

Yes, you'll need to use LS to rename the fields to something more meaningful. And by the looks of the data you might need to parse some of the paramN values to get the data you need.

Thank you.

Is there any way to drop everything with event_data.param ? If I list 1 by 1 I can drop the fields but the wildcard doesn't work.

This is how I try:

  - name: Application
        - drop_fields:
            fields: ["event_data.param*"]
    #level: critical, error, warning
    #include_xml: true
    ignore_older: 72h
  - name: System
        - drop_fields:
            fields: ["event_data.param.*"]
    # level: critical, error, warning
    #include_xml: true
  - name: Setup
    level: critical, error, warning
  - name: "Windows PowerShell"
    level: critical, error, warning
  hosts: []

Or how can we rename that fields?

When you say LS in your previous comment you mean like this flow: winlogbeat raw event -> logstash and here do the magic -> elastic search -> kibana ?

Cannot somehow let the events know what they are sending? When we used nxlog everything transferred correctly.

Or another idea, I just see that the event_data.params actually the message and the message we have in the message field, so how we can just disable or set something don't try to parse the message itself. If it doesn't try to parse the message these fields wouldn't come up.

Or how to do this, it would be also a solution:
            - drop_fields:
                    has_fields: ['event_data.param']
                fields: ["event_data.param"] 

The above doesn't work it says Exiting: Failed to create new event log. missing condition. If we have ot with wildcard or somehow make it work I'm happy.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.