Winlogbeat is sending Windows Event logs to logstash and I would like to create a new field by extracting the first line of the message field.
"message": "Special privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tCORP-DC02$\n\tAccount Domain:\t\tACME\n\tLogon ID:\t\t0x238BCEAE\n\nPrivileges:\t\tSeSecurityPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeEnableDelegationPrivilege\n\t\t\tSeAssignPrimaryTokenPrivilege"
I have tried many filter variations without success, here is my current but results in only a copy of the message, like it's unable to split the message by newline:
filter {
mutate {
copy => { "message" => "message_head" }
}
mutate {
split => ["message_head", "\n"]
}
mutate {
replace => { "message_head" => "%{message_head[0]}" }
}
}
This is the result I am after:
message_head: Special privileges assigned to new logon.
When testing the above filter sending a message with postman, it splits the string into an array and produces the desired results. However, I get a string copy of the message when received from Winlogbeat.
Any suggestions would be most appreciated.
You want a liternal newline embedded in the string.