How to fetch IP address of using winlogbeat?

Nikhil_Jaiswal · December 28, 2017, 7:19am

Hi,

I installed winlogbeat on host but i am only able to see hostname of the device not source ip.
Is there any configuration changes required to get source ip ?

Mazhar · December 28, 2017, 8:17am

@Nikhil_Jaiswal - What is the architecture at your end, from WINLOGBEATS the output is to? If you can throw some light.

Nikhil_Jaiswal · December 29, 2017, 7:33am

i am using ELK stack so the architecture is like

Winlogbeat >> logstash >> elasticsearch >> kibana

i am forwarding all the events from windows.

Mazhar · December 29, 2017, 12:06pm

@Nikhil_Jaiswal - Are you using any filters in logstash configuration files that is preventing the source IP information. I meant gork in logstash configuration file

Nikhil_Jaiswal · December 31, 2017, 6:02am

this is my mutate part

remove_field => ["type"]
remove_field => ["InsertionStrings"]
}

			mutate {
				
				remove_field => ["keywords"]
				remove_field => ["beat"]
				remove_field => ["tags"]
				remove_field => ["user"]					
				remove_field => ["event_data"]	
				remove_field => ["provider_guid"]
				remove_field => ["process_id"]
				remove_field => ["thread_id"]
				 
				#rename => ["syslog_message" , "messages"]				
				
				
				add_field => ["src_hostname" , "%{host}"]
				add_field => [ "src_ip", "%{host}" ]
				add_field => ["engine_id", "1518"]
				#add_field => [ 	"engine_log_id", "1"]
				rename => ["event_id" , "engine_log_id"]					
				#rename => ["host" , "src_hostname"]
				#rename => ["clienthost" , "client_IP"]
				#add_field => ["hostname","%{winname}"]
				remove_field => ["host"]	
				}

Mazhar · January 2, 2018, 8:40am

can you change the position of the definition for host and IP and check for the result. As I don't see any problems with the configurations.

I have a query - in Logstash have you configured aggregation on the event data received?

//Mazhar

andrewkroh · January 2, 2018, 3:37pm

The IP address of the Beat is added to the event by Logstash. The data is written to the [@metadata][ip_address] field. If you want this data to be written to Elasticsearch then you need to copy the data out of the @metadata namespace and into the main event with a mutate filter because the @metadata is special in that it is not sent to the output.

Include Remote IP address in the Event medata by jakelandis · Pull Request #218 · logstash-plugins/logstash-input-beats · GitHub

Nikhil_Jaiswal · January 4, 2018, 1:07pm

Thanks @andrewkroh,

Can you please help me in logstash syntax means how to add in mutate, because i am new in elastic .

andrewkroh · January 5, 2018, 5:40pm

Try

filter {
	mutate {
		copy => {"[@metadata][ip_address]" => "[beat][ip]"}
	}
}

system · February 2, 2018, 5:40pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to add source ip (device ip) of host to log Beats winlogbeat	1	301	July 1, 2020
Ipadress shown in kibana from winlogbeats Beats winlogbeat	2	865	December 4, 2017
Add IP Address field using winlogbeat Beats winlogbeat	3	907	September 25, 2019
Add Remote IP address in winlogbeat data Logstash	4	716	May 5, 2018
Getting the IP address of the Winlogbeat host from Logstash Beats winlogbeat	4	2743	August 8, 2016

How to fetch IP address of using winlogbeat?

Related topics