I have Filebeat using the MSSQL module running on a Windows SQL Server exporting logs to an Elasticsearch server. I can view the Filebeat logs in Kibana. But I can't (seem) to search on the Message field. For example, none of the following Kibana searches work:
agent.hostname: "SQL1" and messages: *
agent.hostname: "SQL1" and messages: %Login%
When I expand the documents, I see the text "message" file with data like "Login succeeded for user 'reportuser'. Connection made using SQL Server authentication. [CLIENT: xx.xx.xx.xx]".
The "message" field is there, I just can't seem to access it for searching.
My ultimate goal is to get the username into a separate field so I can Visualize it for Dashboards. Would I do this on the Filebeat mssql module or on the Elasticsearch backend? Any direction on this would certainly be appreciated.
As you can tell, I'm just beginning to figure out the power of Elasticsearch. Glad for assistance!