Filter elasticsearch data with logstash

Hello, I am trying to export some data from an elastic stack using logstash but it doesn't work.
For this I connected it to a test stack with this config file

input {
  elasticsearch {
    hosts => "localhost:9200"
    index => "winlogbeat-6.3.2-2023.08.16"
    query => '{ "query": { "query_string": { "query": "*" } } }'
    size => 5
    scroll => "10s"
    docinfo => true
  }
}

filter {
  if "4634" in [event_id] {
    mutate { add_tag => "field in field" }
  }
}

output {
  if "field in field" in [tags] {
    stdout {
      codec => rubydebug { metadata => true }
    }
  }
}

If I remove the part " if "4634" in [event_id] " from the filter it works, and the tag is added to the output as expected
As an example, below is one of the source items being fetched from elasticsearch.

    "record_number" => "953747822",
       "event_data" => {
                "TargetLogonId" => "0x28775",
              "SubjectUserName" => "sa_fortisso",
                  "ProcessName" => "C:\\Program Files (x86)\\Fortinet\\FSAE\\collectoragent.exe",
            "SubjectDomainName" => "domain",
                    "ProcessId" => "0x1190",
        "DisabledPrivilegeList" => "SeSecurityPrivilege",
               "SubjectLogonId" => "0x28775",
               "TargetUserName" => "sa_fortisso",
             "TargetDomainName" => "domain",
               "SubjectUserSid" => "S-1-5-21-35345345345-1588684209-2680700694-2234",
         "EnabledPrivilegeList" => "-",
                "TargetUserSid" => "S-1-0-0"
    },
          "message" => "A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-3905848510-1588684209-2680700694-2234\n\tAccount Name:\t\tsa_fortisso\n\tAccount Domain:\t\tITIS\n\tLogon ID:\t\t0x28775\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tsa_fortisso\n\tAccount Domain:\t\tITIS\n\tLogon ID:\t\t0x28775\n\nProcess Information:\n\tProcess ID:\t\t0x1190\n\tProcess Name:\t\tC:\\Program Files (x86)\\Fortinet\\FSAE\\collectoragent.exe\n\nEnabled Privileges:\n\t\t\t-\n\nDisabled Privileges:\n\t\t\tSeSecurityPrivilege",
             "type" => "wineventlog",
           "opcode" => "Info",
        "thread_id" => 10148,
             "task" => "Token Right Adjusted Events",
         "event_id" => 4634,
       "@timestamp" => 2023-08-16T09:57:19.717Z,
    "provider_guid" => "{54849625-5478-4994-A5BA-3E3B0328C30D}",
         "@version" => "1",
             "host" => {
        "name" => "hostname"
    },
             "beat" => {
        "hostname" => "hostname",
            "name" => "hostname",
         "version" => "6.3.2"
    },
      "source_name" => "Microsoft-Windows-Security-Auditing"
}
{
       "process_id" => 4,
    "computer_name" => "fqdn",
         "keywords" => [
        [0] "Audit Success"
    ],
         "log_name" => "Security",
            "level" => "Information",
        "@metadata" => {
        "input" => {
            "elasticsearch" => {
                   "_id" => "nX7H_YkBspU4mehKQrcq",
                "_index" => "winlogbeat-6.3.2-2023.08.16",
                 "_type" => "doc"
            }
        }
    },

Any idea what I am doing wrong?

Based on your sample provided, I can confirm that event_id is not an array. So you must use the "==" syntax for the comparison.

cfr. Accessing event data and fields | Logstash Reference [8.9] | Elastic

Great, this works as expected

filter {
  if [event_id] == 4634 {
    mutate { add_tag => "field in field" }
  }
}

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.