Hello.
I forward my windows Event Log via "Winlogbeat" to my Linux box that I installed "Elasticsearch" and "Kibana" on it. I can customize my Event logs via "Selection Fields" but I must create it each time that I open "Kibana", How can I write a config file that do it automatically for me?
Thank you.
I'm not super familiar with winlog beat personally, but I've used filebeat before, and the trick was to configure the beat to correctly parse the information that it was ingesting. Winlogbeat looks the similar, and offers ways to configure and enrich the input from the events. If you need really powerful enrichment (which shouldn't be required in this case, the issue here is more about parsing), you can check out the docs on using ingest node.
Thank you. I just need to extract some fields.
"drop" command will remove fields or it is the fields that I needed?
I'm not sure what you are asking about. What drop command?
I saw it in the examples. What this command doing?
Are you talking about the drop_fields processor in the example? It's one of the Beats processors, which are used to process data before it is indexed.
You can find the docs for that specific processor here.
Thank you.
To be honest, I don't like you spoon me but I'm a non geek and I want to know can you show me an example or write an example that extract "Subject", "Object" and "Accesses" from "message" ?
Haha, it's no problem. All this stuff can be overwhelming, and guidance is what the forums are for, right?
Unfortunately, I'm not really a Beats user though. I used Filebeat once and poked at it just long enough to get what I was trying to do working. I don't even remember what it was I was doing, let alone how I did it. I could probably dig through everything and point you to some more spots in the documentation, but I wouldn't have any more insight than you would finding those resources on your own.
I'd recommend asking over in the Beats section of the forums for help. That's monitored by the folks the work on Beats, they certainly know a lot more than I do. 
I created a thread but not get any reply 
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
