How to get the original message sent to logstash?

Daniel_Ben_Hayoun · September 9, 2019, 3:46pm

Hi,
I'm dealing with winlogbeat , and want to add to the entire log that I've got to a field called "[event][original]"
usually I do this

mutate { rename => { "message" => "forensicLog" } }
but this time , winlogbeat create a field name "message" with data that I don't want .

{ "_index": "winlogbeat-7.0.0-2019.08.22-000001", "_type": "_doc", "_id": "A8C_zGwBVZ5Ye99ngvG9", "_version": 1, "_score": null, "_source": { "@timestamp": "2019-08-26T07:06:17.700Z", "host": { "name": "DC", "os": { "platform": "windows", "version": "6.1", "family": "windows", "name": "Windows Server 2008 R2 Enterprise", "kernel": "6.1.7601.24444 (win7sp1_ldr_escrow.190429-1700)", "build": "7601.24465" }, "id": "2b0a2bd9-edaf-45cc-8c97-9ddc5c184da3", "hostname": "DC", "architecture": "x86_64" }, "agent": { "id": "6dcb5c11-fa40-4cac-bc3c-ecab8952390b", "version": "7.0.0", "type": "winlogbeat", "ephemeral_id": "538fc1ca-b50e-4121-9617-e66ab8693a0b", "hostname": "DC" }, "winlog": { "opcode": "Info", "process": { "pid": 4, "thread": { "id": 84 } }, "event_data": { "HandleId": "0x104", "OldValueType": "%%1873", "ProcessId": "0xf58", "SubjectUserName": "administrator", "SubjectLogonId": "0x18dbef", "NewValueType": "%%1873", "ProcessName": "C:\\Windows\\regedit.exe", "NewValue": "sndklnsl", "SubjectDomainName": "OZ", "ObjectValueName": "SCRNSAVE.EXE", "OperationType": "%%1905", "ObjectName": "\\REGISTRY\\USER\\S-1-5-21-2521481594-3673023198-3481644760-500\\Control Panel\\Desktop", "SubjectUserSid": "S-1-5-21-2521481594-3673023198-3481644760-500" }, "task": "Registry", "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "channel": "Security", "event_id": 4657, "record_id": 14924143, "provider_name": "Microsoft-Windows-Security-Auditing", "keywords": [ "Audit Success" ], "api": "wineventlog", "computer_name": "DC.oz.land" }, "event": { "action": "Registry", "created": "2019-08-26T07:06:19.992Z", "kind": "event", "code": 4657 }, "log": { "level": "information" }, "message": "A registry value was modified.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-2521481594-3673023198-3481644760-500\n\tAccount Name:\t\tadministrator\n\tAccount Domain:\t\tOZ\n\tLogon ID:\t\t0x18dbef\n\nObject:\n\tObject Name:\t\t\\REGISTRY\\USER\\S-1-5-21-2521481594-3673023198-3481644760-500\\Control Panel\\Desktop\n\tObject Value Name:\tSCRNSAVE.EXE\n\tHandle ID:\t\t0x104\n\tOperation Type:\t\tExisting registry value modified\n\nProcess Information:\n\tProcess ID:\t\t0xf58\n\tProcess Name:\t\tC:\\Windows\\regedit.exe\n\nChange Information:\n\tOld Value Type:\t\tREG_SZ\n\tOld Value:\t\t\n\tNew Value Type:\t\tREG_SZ\n\tNew Value:\t\tsndklnsl", "ecs": { "version": "1.0.0" } }, "fields": { "@timestamp": [ "2019-08-26T07:06:17.700Z" ], "event.created": [ "2019-08-26T07:06:19.992Z" ] }, "highlight": { "event.code": [ "@kibana-highlighted-field@4657@/kibana-highlighted-field@" ], "winlog.event_id": [ "@kibana-highlighted-field@4657@/kibana-highlighted-field@" ] }, "sort": [ 1566803177700 ] }

any suggestions?
Thnaks

system · October 7, 2019, 3:46pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.