Hello,
I need to add some fields and descriptions for a Windows Event ID.
For example, for winlog.event_id = 1111 create a field named rule.description: Our descroption
Thank you for your help!
You could use the add_fields processor with a when condition.
processors:
- add_fields:
when.equals.winlog.event_id: 1111
target: rule
fields:
description: Our description
Thanks for your help
Unfortunately, it seems that winlogbeat does not add the field. I don't see it in Kibana
Please share the configuration that you are using. Surround it with three backticks before and after to preserve the formatting/spacing.
Actually it was a formatting/spacing issue, I didn't know that spacing is very important for winlogbeat!
It works now.
Thank you very much andrew for your help 
Another question please:
If I have more when statement: if event id = 1111 then add field description= test-1111, if event id = 2222 then add field description = test-2222...., I have to create more processors or I can just use 1 processors with more when statements?
processors:
- add_fields:
when.equals.winlog.event_id: 1111
target: rule
fields:
id: 1111
description: User Disabled
when.equals.winlog.event_id: 2222
target: rule
fields:
id: 2222
description: User enabled`
I want to put a specific id and description for some event IDs, is this the correct way to do it?
Thank you for your help