Filter event from Winlogbeat

Hi community.
Somebody has any filter example for conf.d in order to filter Eventlog of Windows (Security)?
I'm using Winlogbeat and didnt find any usable example in documentation.
Need your help!

What kind of filtering are you looking for? Doesn't Winlogbeat split things up into fields out of the box?

A grok because I wrote the simplest grok :
grok {
match => { "message" => "%{GREEDYDATA:message}" }
}

Sorry, I don't understand. You have a field from which you want to extract fields, e.g. using a grok filter? If so, what does that field contain and what do you want to extract from it?

For example I can extract a few files like these headers:
Subject:
Security ID: ...
Account Name: ...
Account Domain: ...
Logon ID: ...

Object:
Object Server: Security
Object Type: -
Object Name: -
Object Handle: 0x4a4

Process Information:
Process ID: 0x1468
Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe

Requested Operation:
Desired Access: 1048577
Privileges: SeBackupPrivilege

Or this is not so necessary and I can search these terms int he future within a message without any performance degradation?
Sorry, I'm a new user of ES :slight_smile:

Okay, I see. I thought Winlogbeat was able to provide these fields. Yeah, then you probably want to use a grok or kv filter. I have no example of that at hand.

Or this is not so necessary and I can search these terms int he future within a message without any performance degradation?

No, you'll want to extract them to fields.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.