Field is not renaming

Aniket_Pant · July 29, 2020, 9:50am

I am using winlogbeat and i want to create an index which stores user sessions info. but i am doing this step by step that is i am storing successfull login of user. Everything is going good but now i am facing some problem
filter
{
if [agent][type]=="winlogbeat"
{
if [winlog][channel]=="Security"
{
if [winlog][event_id]==4624
{
mutate {
rename => {
"SubjectUserSid" => "user_reporter_sid"
"SubjectUserName" => "user_reporter_name"
"SubjectDomainName" => "user_reporter_domain"
"SubjectLogonId" => "reporter_logon_id"
"TargetUserSid" => "user_sid"
"TargetUserName" => "user_name"
"TargetDomainName" => "user_domain"
"TargetLogonId" => "user_logon_id"
"LogonType" => "logon_type"
"LogonProcessName" => "logon_process_name"
"AuthenticationPackageName" => "logon_authentication_package_name"
"WorkstationName" => "src_host_name"
"LogonGuid" => "user_logon_guid"
"KeyLength" => "logon_key_length"
"ProcessId" => "process_id"
"ProcessName" => "process_name"
"ImpersonationLevel" => "impersonation_level"
"RestrictedAdminMode" => "logon_restricted_admin_mode"
"VirtualAccount" => "logon_virtual_account"
"ElevatedToken" => "logon_elevated_token"
}
}}}}}
output {
if [winlog][channel]=="Security" and [winlog][event_id]==4624 {
elasticsearch {
hosts => ["http://192.168.0.119:9200"]
index => "session-%{+YYYY.MM.dd}"
}
}
}
The problem is the above field is not changing

Jenni · July 29, 2020, 10:27am

It would be helpful if you formatted your configuration as a correctly indented code block (with the </> button) and posted an example of your data.

Aniket_Pant · July 29, 2020, 10:51am

I don't know how to do it

bradley.king · July 29, 2020, 11:32am

Just wrap your code in back ticks `

For example

```
THIS IS SOME CODE
```

filter {
		if [agent][type] == "winlogbeat" {
			if [winlog][channel] == "Security" {
				if [winlog][event_id] == 4624 {
					mutate {
						rename => {
							"SubjectUserSid" => "user_reporter_sid"
							"SubjectUserName" => "user_reporter_name"
							"SubjectDomainName" => "user_reporter_domain"
							"SubjectLogonId" => "reporter_logon_id"
							"TargetUserSid" => "user_sid"
							"TargetUserName" => "user_name"
							"TargetDomainName" => "user_domain"
							"TargetLogonId" => "user_logon_id"
							"LogonType" => "logon_type"
							"LogonProcessName" => "logon_process_name"
							"AuthenticationPackageName" => "logon_authentication_package_name"
							"WorkstationName" => "src_host_name"
							"LogonGuid" => "user_logon_guid"
							"KeyLength" => "logon_key_length"
							"ProcessId" => "process_id"
							"ProcessName" => "process_name"
							"ImpersonationLevel" => "impersonation_level"
							"RestrictedAdminMode" => "logon_restricted_admin_mode"
							"VirtualAccount" => "logon_virtual_account"
							"ElevatedToken" => "logon_elevated_token"
						}
					}
				}
			}
		}
	}
		output {
		if [winlog][channel] == "Security" and [winlog][event_id] == 4624 {
			elasticsearch {
			hosts => ["http://192.168.0.119:9200"]
			index => "session-%{+YYYY.MM.dd}"
		}
	}
}

Aniket_Pant · July 29, 2020, 11:51am

I'll remember this next time but why winlogbeat field is changing using logstash

bradley.king · July 29, 2020, 12:19pm

It's most likely due to your if conditions at the top not matching for some reason.

Can you provide an example log that is not being renamed so I can take look?

system · August 26, 2020, 2:05pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.