Dear all
I am trying to filter the window event_id i want to remove the message field and add my own field
But i have try 3 method i can think of like this
[winlog][event_id] == 4624
winlog.event_id == 4624
[event_id] == 4624
None of what i try do anything to the log and one of them even stop log from comming
Please help me
What does an event look like if you send it to
output { stdout { codec => rubydebug } }I have same issue since upgrading logstash to 7.4.2. It will not match any field from winlogbeats. Tested rubydebug and all fields show up fine. For example:
"winlog" => {
.........
"event_id" => 4688,
................
}
It still does not match
[winlog.event_id] == 4688
If event_id is a field nested inside the winlog object then although in kibana you would refer to it as winlog.event_id, in logstash you have to refer to it as [winlog][event_id]
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.