How to get the original log from winlogbeat?

Daniel_Ben_Hayoun · September 16, 2019, 4:01pm

Hi,
I'm using winlogbeat to publish event logs to logstash. I mean that the output from winlogbeat is for another machine that runs logstash. The plugin is :
input {
# tcp {
# port => 12345

	# }

	beats {
		port=> 6666
	}
}

filter {
	mutate { rename => { "message" => "forensic"} }

}
output {
	stdout{}
}

I want the original log sent from winlogbeat , including all existing fields. Usually the field "message" contain the entire log . the problem is the field "message is already occupied by winlogbeat with different data, and when i do :
mutate { rename => { "message" => "forensic"} }

I don't get the entire log , but only the field that winlogbeat occupied with some different data rather then the entire original log. how can I get the original log sent from winlogbeat?

system · October 14, 2019, 4:01pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to get the original message sent to logstash? Logstash	1	577	October 7, 2019
Split "event_data" to only show the original field Beats winlogbeat	3	1225	April 13, 2017
Split "event_data" to only show the original data field Logstash	3	1610	April 13, 2017
Logstash can't recognize "message" field from winlogbeat Beats winlogbeat	3	878	October 20, 2017
[Solved] How to get raw log in logstash Logstash	3	7828	July 3, 2017

How to get the original log from winlogbeat?

Related topics