Hi,
I'm new to using Logstash for parsing data. We've windows Event Logs coming though Winbeats to Logstash and then sent to Elastic Search . I am trying to extract different fields using Logstash, but it doesn't work.,
I have created a file winevents.conf under the pipeline folder (/usr/share/logstash/pipeline) and here are the contents config file -
input {
beats {
port => 1514
ssl => true
client_inactivity_timeout => 7200
ssl_verify_mode => "none"
#ssl_certificate_authorities => ["/usr/share/logstash/config/ca.cer"]
ssl_certificate => "/usr/share/logstash/config/lumberjack_cert.crt"
ssl_key => "/usr/share/logstash/config/lumberjack_cert.key"
}
}
filter {
grok {
#patterns_dir => "/etc/logstash/patterns"
match => { "message" => { message => "CLSID: '(?<appd_id>[^']+)" } }
}
}
output {
stdout {
codec => rubydebug
}
elasticsearch {
hosts => "https://elks2.nam.io:443"
user => "something"
password => "something"
keystore => "/usr/share/logstash/config/cacerts"
keystore_password => "something"
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
}
}
example Event in the message field -
.NET Runtime version 4.0.30319.36575 - The profiler has requested that the CLR instance not load the profiler into this process. Profiler CLSID: 'AppDynamics.AgentProfiler'. Process ID (decimal): 83484. Message ID: [0x2516]
I want to extract "AppDynamics.AgentProfiler" into a separate field appd_id .
This is my first step towards using Logstash for extractions and have more to do ; appreciate your guidance and help.
Thank you
