How to fetch IP address of using winlogbeat?

Nikhil_Jaiswal · December 28, 2017, 7:19am

Hi,

I installed winlogbeat on host but i am only able to see hostname of the device not source ip.
Is there any configuration changes required to get source ip ?

Mazhar · December 28, 2017, 8:17am

@Nikhil_Jaiswal - What is the architecture at your end, from WINLOGBEATS the output is to? If you can throw some light.

Nikhil_Jaiswal · December 29, 2017, 7:33am

i am using ELK stack so the architecture is like

Winlogbeat >> logstash >> elasticsearch >> kibana

i am forwarding all the events from windows.

Mazhar · December 29, 2017, 12:06pm

@Nikhil_Jaiswal - Are you using any filters in logstash configuration files that is preventing the source IP information. I meant gork in logstash configuration file

Nikhil_Jaiswal · December 31, 2017, 6:02am

this is my mutate part

remove_field => ["type"]
remove_field => ["InsertionStrings"]
}

			mutate {
				
				remove_field => ["keywords"]
				remove_field => ["beat"]
				remove_field => ["tags"]
				remove_field => ["user"]					
				remove_field => ["event_data"]	
				remove_field => ["provider_guid"]
				remove_field => ["process_id"]
				remove_field => ["thread_id"]
				 
				#rename => ["syslog_message" , "messages"]				
				
				
				add_field => ["src_hostname" , "%{host}"]
				add_field => [ "src_ip", "%{host}" ]
				add_field => ["engine_id", "1518"]
				#add_field => [ 	"engine_log_id", "1"]
				rename => ["event_id" , "engine_log_id"]					
				#rename => ["host" , "src_hostname"]
				#rename => ["clienthost" , "client_IP"]
				#add_field => ["hostname","%{winname}"]
				remove_field => ["host"]	
				}

Mazhar · January 2, 2018, 8:40am

can you change the position of the definition for host and IP and check for the result. As I don't see any problems with the configurations.

I have a query - in Logstash have you configured aggregation on the event data received?

//Mazhar

andrewkroh · January 2, 2018, 3:37pm

The IP address of the Beat is added to the event by Logstash. The data is written to the [@metadata][ip_address] field. If you want this data to be written to Elasticsearch then you need to copy the data out of the @metadata namespace and into the main event with a mutate filter because the @metadata is special in that it is not sent to the output.

Include Remote IP address in the Event medata by jakelandis · Pull Request #218 · logstash-plugins/logstash-input-beats · GitHub

Nikhil_Jaiswal · January 4, 2018, 1:07pm

Thanks @andrewkroh,

Can you please help me in logstash syntax means how to add in mutate, because i am new in elastic .

andrewkroh · January 5, 2018, 5:40pm

Try

filter {
	mutate {
		copy => {"[@metadata][ip_address]" => "[beat][ip]"}
	}
}

system · February 2, 2018, 5:40pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.