Field is not renaming

I am using winlogbeat and i want to create an index which stores user sessions info. but i am doing this step by step that is i am storing successfull login of user. Everything is going good but now i am facing some problem
filter
{
if [agent][type]=="winlogbeat"
{
if [winlog][channel]=="Security"
{
if [winlog][event_id]==4624
{
mutate {
rename => {
"SubjectUserSid" => "user_reporter_sid"
"SubjectUserName" => "user_reporter_name"
"SubjectDomainName" => "user_reporter_domain"
"SubjectLogonId" => "reporter_logon_id"
"TargetUserSid" => "user_sid"
"TargetUserName" => "user_name"
"TargetDomainName" => "user_domain"
"TargetLogonId" => "user_logon_id"
"LogonType" => "logon_type"
"LogonProcessName" => "logon_process_name"
"AuthenticationPackageName" => "logon_authentication_package_name"
"WorkstationName" => "src_host_name"
"LogonGuid" => "user_logon_guid"
"KeyLength" => "logon_key_length"
"ProcessId" => "process_id"
"ProcessName" => "process_name"
"ImpersonationLevel" => "impersonation_level"
"RestrictedAdminMode" => "logon_restricted_admin_mode"
"VirtualAccount" => "logon_virtual_account"
"ElevatedToken" => "logon_elevated_token"
}
}}}}}
output {
if [winlog][channel]=="Security" and [winlog][event_id]==4624 {
elasticsearch {
hosts => ["http://192.168.0.119:9200"]
index => "session-%{+YYYY.MM.dd}"
}
}
}
The problem is the above field is not changing

It would be helpful if you formatted your configuration as a correctly indented code block (with the </> button) and posted an example of your data.

I don't know how to do it

Just wrap your code in back ticks `

For example

```
THIS IS SOME CODE
```

filter {
		if [agent][type] == "winlogbeat" {
			if [winlog][channel] == "Security" {
				if [winlog][event_id] == 4624 {
					mutate {
						rename => {
							"SubjectUserSid" => "user_reporter_sid"
							"SubjectUserName" => "user_reporter_name"
							"SubjectDomainName" => "user_reporter_domain"
							"SubjectLogonId" => "reporter_logon_id"
							"TargetUserSid" => "user_sid"
							"TargetUserName" => "user_name"
							"TargetDomainName" => "user_domain"
							"TargetLogonId" => "user_logon_id"
							"LogonType" => "logon_type"
							"LogonProcessName" => "logon_process_name"
							"AuthenticationPackageName" => "logon_authentication_package_name"
							"WorkstationName" => "src_host_name"
							"LogonGuid" => "user_logon_guid"
							"KeyLength" => "logon_key_length"
							"ProcessId" => "process_id"
							"ProcessName" => "process_name"
							"ImpersonationLevel" => "impersonation_level"
							"RestrictedAdminMode" => "logon_restricted_admin_mode"
							"VirtualAccount" => "logon_virtual_account"
							"ElevatedToken" => "logon_elevated_token"
						}
					}
				}
			}
		}
	}
		output {
		if [winlog][channel] == "Security" and [winlog][event_id] == 4624 {
			elasticsearch {
			hosts => ["http://192.168.0.119:9200"]
			index => "session-%{+YYYY.MM.dd}"
		}
	}
}

:slight_smile:

I'll remember this next time but why winlogbeat field is changing using logstash

It's most likely due to your if conditions at the top not matching for some reason.

Can you provide an example log that is not being renamed so I can take look?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.