Hello,
I need to add some fields and descriptions for a Windows Event ID.
For example, for winlog.event_id = 1111 create a field named rule.description: Our descroption
Thank you for your help!
You could use the add_fields processor with a when condition.
processors:
- add_fields:
when.equals.winlog.event_id: 1111
target: rule
fields:
description: Our description
Thanks for your help
Unfortunately, it seems that winlogbeat does not add the field. I don't see it in Kibana
Please share the configuration that you are using. Surround it with three backticks before and after to preserve the formatting/spacing.
Actually it was a formatting/spacing issue, I didn't know that spacing is very important for winlogbeat!
It works now.
Thank you very much andrew for your help 
Another question please:
If I have more when statement: if event id = 1111 then add field description= test-1111, if event id = 2222 then add field description = test-2222...., I have to create more processors or I can just use 1 processors with more when statements?
processors:
- add_fields:
when.equals.winlog.event_id: 1111
target: rule
fields:
id: 1111
description: User Disabled
when.equals.winlog.event_id: 2222
target: rule
fields:
id: 2222
description: User enabled`
I want to put a specific id and description for some event IDs, is this the correct way to do it?
Thank you for your help
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.