Extracting the members of the Winlogbeat event_data_MemberName array

Elastic Stack Logstash
1

Hi,

So as the title says, I'd like to use individual members of the event_data_MemberName array returned from Winlogbeat running on one of our DCs. The end goal is to create a filter that will allow me to create a table of users that have been added to groups throughout the day.
After some experimenting I've realised that (I hope correctly), event_data_MemberName is actaully an array returned by Winlogbeat, in my case, showing the following:

CN=Joe Bloggs,OU=Pork_Pies,OU=Users,OU=17,OU=Paris,OU=FR,DC=bestporkpies,DC=com

I now wish to take certain members of that array and use them in new fields, so my final attempt (that still doesn't work), is as follows. You can see what I'm trying to do with the gsubs too but I've commented them out for now until I resolve this issue.

filter {
# If the event_data_MemberName contains a value, enter loop
		if ([event_data.MemberName] != "") {
			mutate {
				#gsub certain array components, removing the AD tags
				#gsub => ["event_data.MemberName[0]", "CN=", ""]
				#gsub => ["event_data.MemberName[1]", "OU=", ""]
				#gsub => ["event_data.MemberName[4]", "OU=", ""]
				#gsub => ["event_data.MemberName[5]", "OU=", ""]
				
				#Add a new field called "User_added" and fill it with the 1st member of the event_data.MemberName array
				add_field => ["User_added",%{event_data.MemberName}[0]]
				
				#Add a new field called "BU" and fill it with the 2nd member of the event_data.MemberName array
				add_field => ["BU,%{event_data.MemberName}[1]]
				
				#Add a new field called "City" and fill it with the 4th member of the event_data.MemberName array
				add_field => ["City,%{event_data.MemberName}[4]]
				
				#Add a new field called "Country" and fill it with the 5th member of the event_data.MemberName array
				add_field => ["Country,%{event_data.MemberName}[5]]
			}
		}
	}

The end result is that I get my additional "User_added" field, but it contains the string:

%{event_data.MemberName}[5]

Don't quote on the exact string it shows (I've so many iterations and commented out code at this stage, it may be slightly different). The point being, is that I'm struggling to find the right syntax to pull the members from the event_data.MemberName array.

Any pointers would be greatly appreciated!

2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.