Event_data.param# instead of the correct fields

Badb0y · August 31, 2018, 6:08am

Hi,

On kibana when I forwarded the logs I don't see like message id or message fields and a parsed fields, I just see this event_data.param.

How can I send in the proper format?

This is the raw json.

Our flow loks like this:

Client -> Indexerserver -> elastic search -> kibana

Should be the messages sent by default in this format or the indexer server should parse it?

andrewkroh · August 31, 2018, 5:01pm

Please read my response in Generically named event_data.paramN on Windows XP and 2003. I think it explains what you are seeing.

Badb0y · September 1, 2018, 1:09am

Hmm, strange because this servers are windows 2012 servers not vista or older things.
So it means we have to parse it on the logstash server?

andrewkroh · September 1, 2018, 1:32am

It's not the operating system causing the issue, it's the application and the means by which it writes to the log.

Yes, you'll need to use LS to rename the fields to something more meaningful. And by the looks of the data you might need to parse some of the paramN values to get the data you need.

Badb0y · September 3, 2018, 1:53am

Thank you.

Badb0y · September 6, 2018, 3:45am

Is there any way to drop everything with event_data.param ? If I list 1 by 1 I can drop the fields but the wildcard doesn't work.

This is how I try:

winlogbeat.event_logs:
  - name: Application
    processors: 
        - drop_fields:
            fields: ["event_data.param*"]
    #level: critical, error, warning
    #include_xml: true
    ignore_older: 72h
  - name: System
    processors: 
        - drop_fields:
            fields: ["event_data.param.*"]
    # level: critical, error, warning
    #include_xml: true
  - name: Setup
    level: critical, error, warning
  - name: "Windows PowerShell"
    level: critical, error, warning
output.logstash:
  hosts: []

Or how can we rename that fields?

When you say LS in your previous comment you mean like this flow: winlogbeat raw event -> logstash and here do the magic -> elastic search -> kibana ?

Cannot somehow let the events know what they are sending? When we used nxlog everything transferred correctly.

Or another idea, I just see that the event_data.params actually the message and the message we have in the message field, so how we can just disable or set something don't try to parse the message itself. If it doesn't try to parse the message these fields wouldn't come up.

Or how to do this, it would be also a solution:
    processors: 
            - drop_fields:
                when:
                    has_fields: ['event_data.param']
                fields: ["event_data.param"]

The above doesn't work it says Exiting: Failed to create new event log. missing condition. If we have ot with wildcard or somehow make it work I'm happy.

system · October 4, 2018, 3:46am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.