Hello, I am trying to export some data from an elastic stack using logstash but it doesn't work.
For this I connected it to a test stack with this config file
input {
elasticsearch {
hosts => "localhost:9200"
index => "winlogbeat-6.3.2-2023.08.16"
query => '{ "query": { "query_string": { "query": "*" } } }'
size => 5
scroll => "10s"
docinfo => true
}
}
filter {
if "4634" in [event_id] {
mutate { add_tag => "field in field" }
}
}
output {
if "field in field" in [tags] {
stdout {
codec => rubydebug { metadata => true }
}
}
}
If I remove the part " if "4634" in [event_id] " from the filter it works, and the tag is added to the output as expected
As an example, below is one of the source items being fetched from elasticsearch.
"record_number" => "953747822",
"event_data" => {
"TargetLogonId" => "0x28775",
"SubjectUserName" => "sa_fortisso",
"ProcessName" => "C:\\Program Files (x86)\\Fortinet\\FSAE\\collectoragent.exe",
"SubjectDomainName" => "domain",
"ProcessId" => "0x1190",
"DisabledPrivilegeList" => "SeSecurityPrivilege",
"SubjectLogonId" => "0x28775",
"TargetUserName" => "sa_fortisso",
"TargetDomainName" => "domain",
"SubjectUserSid" => "S-1-5-21-35345345345-1588684209-2680700694-2234",
"EnabledPrivilegeList" => "-",
"TargetUserSid" => "S-1-0-0"
},
"message" => "A token right was adjusted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-3905848510-1588684209-2680700694-2234\n\tAccount Name:\t\tsa_fortisso\n\tAccount Domain:\t\tITIS\n\tLogon ID:\t\t0x28775\n\nTarget Account:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tsa_fortisso\n\tAccount Domain:\t\tITIS\n\tLogon ID:\t\t0x28775\n\nProcess Information:\n\tProcess ID:\t\t0x1190\n\tProcess Name:\t\tC:\\Program Files (x86)\\Fortinet\\FSAE\\collectoragent.exe\n\nEnabled Privileges:\n\t\t\t-\n\nDisabled Privileges:\n\t\t\tSeSecurityPrivilege",
"type" => "wineventlog",
"opcode" => "Info",
"thread_id" => 10148,
"task" => "Token Right Adjusted Events",
"event_id" => 4634,
"@timestamp" => 2023-08-16T09:57:19.717Z,
"provider_guid" => "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"@version" => "1",
"host" => {
"name" => "hostname"
},
"beat" => {
"hostname" => "hostname",
"name" => "hostname",
"version" => "6.3.2"
},
"source_name" => "Microsoft-Windows-Security-Auditing"
}
{
"process_id" => 4,
"computer_name" => "fqdn",
"keywords" => [
[0] "Audit Success"
],
"log_name" => "Security",
"level" => "Information",
"@metadata" => {
"input" => {
"elasticsearch" => {
"_id" => "nX7H_YkBspU4mehKQrcq",
"_index" => "winlogbeat-6.3.2-2023.08.16",
"_type" => "doc"
}
}
},
Any idea what I am doing wrong?