Filter section in logstash

artem33region · September 12, 2018, 7:53am

Hello!
I have logstash 6.2.4 and Winlogbeat 6.4.0
Logstash config:
input {
beats {
port => 5044
}
}

filter {
  if [event_data.LogonType] == 3 {
    mutate {
      replace => [ "event_data.LogonType", "interactive logon" ]
    }
  }
}

output {
  elasticsearch {
    hosts => "IP_address:9200"
    index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}" 
  }
}

Winlogbeat config:
winlogbeat.event_logs:

name: Security
event_id: 4624, 4625, 4647, 4659, 4660, 4663, 4670, 4720, 4728, 4732, 4740, 4756, 4768, 4738, 4771, 4776, 4778, 4779, 5136, 5137, 5139, 5141
ignore_older: 72h
processors:
drop_fields:
fields: ["event_data.OpCorrelationID", "event_data.OldSd", "event_data.ObjectGUID", "event_data.ObjectDN", "event_data.ObjectClass", "event_data.NewSd", "event_data.DSType", "event_data.DSName", "event_data.AttributeValue", "event_data.DSName", "event_data.AttributeValue", "event_data.AttributeSyntaxOID", "event_data.AttributeLDAPDisplayName", "event_data.AppCorrelationID", "event_data.Status", "event_data.TicketEncryptionType", "event_data.TicketOptions", "event_data.ObjectServer", "event_data.OperationType", "event_data.PreAuthType", "event_data.ServiceName", "event_data.ServiceSid", "event_data.Status", "event_data.TicketEncryptionType", "event_data.TicketOptions", "event_data.HandleId", "event_data.ServiceSid", "event_data.TargetDomainName", "beat.hostname", "version", "_id", "event_data.TargetSid", "_index", "_score", "_type", "activity_id", "event_data.AccessList", "event_data.AccessMask", "event_data.AdditionalInfo", "event_data.ObjectType", "event_data.ObjectName", "event_data.Properties", "beat.name", "beat.version", "event_data.AuthenticationPackageName", "event_data.ElevatedToken", "event_data.ImpersonationLevel", "event_data.IpPort", "event_data.KeyLength", "event_data.LmPackageName", "event_data.LogonGuid", "event_data.LogonProcessName", "event_data.ProcessId", "event_data.ProcessName", "event_data.RestrictedAdminMode", "event_data.SubjectDomainName", "event_data.SubjectLogonId", "event_data.SubjectUserName", "event_data.SubjectUserSid", "event_data.TargetLinkedLogonId", "event_data.TargetLogonId", "event_data.TargetOutboundDomainName", "event_data.TargetOutboundUserName", "event_data.TargetUserSid", "event_data.TransmittedServices", "event_data.VirtualAccount", "event_data.WorkstationName", "message", "opcode", "process_id", "provider_guid", "record_number", "source_name", "thread_id", "type"]
drop_event:
when:
contains:
event_data.TargetUserName: "$"

I want to replace value in field.
For example:
field "event_data.LogonType" with value "3" i want to replace on "logon system"

How I able to do it?
Thanks!

magnusbaeck · September 12, 2018, 8:55am

Have a look at the translate filter. Also note Logstash's syntax for nested fields: https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html#logstash-config-field-references

artem33region · September 12, 2018, 10:32am

Before i can use translate filter i need to install it?

logstash-plugin install logstash-filter-translate

system · October 10, 2018, 10:32am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.