Hello!
I have logstash 6.2.4 and Winlogbeat 6.4.0
Logstash config:
input {
beats {
port => 5044
}
}
filter {
if [event_data.LogonType] == 3 {
mutate {
replace => [ "event_data.LogonType", "interactive logon" ]
}
}
}
output {
elasticsearch {
hosts => "IP_address:9200"
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
}
}
Winlogbeat config:
winlogbeat.event_logs:
- name: Security
event_id: 4624, 4625, 4647, 4659, 4660, 4663, 4670, 4720, 4728, 4732, 4740, 4756, 4768, 4738, 4771, 4776, 4778, 4779, 5136, 5137, 5139, 5141
ignore_older: 72h
processors: - drop_fields:
fields: ["event_data.OpCorrelationID", "event_data.OldSd", "event_data.ObjectGUID", "event_data.ObjectDN", "event_data.ObjectClass", "event_data.NewSd", "event_data.DSType", "event_data.DSName", "event_data.AttributeValue", "event_data.DSName", "event_data.AttributeValue", "event_data.AttributeSyntaxOID", "event_data.AttributeLDAPDisplayName", "event_data.AppCorrelationID", "event_data.Status", "event_data.TicketEncryptionType", "event_data.TicketOptions", "event_data.ObjectServer", "event_data.OperationType", "event_data.PreAuthType", "event_data.ServiceName", "event_data.ServiceSid", "event_data.Status", "event_data.TicketEncryptionType", "event_data.TicketOptions", "event_data.HandleId", "event_data.ServiceSid", "event_data.TargetDomainName", "beat.hostname", "version", "_id", "event_data.TargetSid", "_index", "_score", "_type", "activity_id", "event_data.AccessList", "event_data.AccessMask", "event_data.AdditionalInfo", "event_data.ObjectType", "event_data.ObjectName", "event_data.Properties", "beat.name", "beat.version", "event_data.AuthenticationPackageName", "event_data.ElevatedToken", "event_data.ImpersonationLevel", "event_data.IpPort", "event_data.KeyLength", "event_data.LmPackageName", "event_data.LogonGuid", "event_data.LogonProcessName", "event_data.ProcessId", "event_data.ProcessName", "event_data.RestrictedAdminMode", "event_data.SubjectDomainName", "event_data.SubjectLogonId", "event_data.SubjectUserName", "event_data.SubjectUserSid", "event_data.TargetLinkedLogonId", "event_data.TargetLogonId", "event_data.TargetOutboundDomainName", "event_data.TargetOutboundUserName", "event_data.TargetUserSid", "event_data.TransmittedServices", "event_data.VirtualAccount", "event_data.WorkstationName", "message", "opcode", "process_id", "provider_guid", "record_number", "source_name", "thread_id", "type"] - drop_event:
when:
contains:
event_data.TargetUserName: "$"
I want to replace value in field.
For example:
field "event_data.LogonType" with value "3" i want to replace on "logon system"
How I able to do it?
Thanks!