Hello everyone, I am using the winlogbeat in Windows Server security event analysis, a hash field "event_data" was generated, now I want to rename the "TargetUserName" field in the
"event_data" field using logstash filter, and keep the new field to the "_source" in the root directory, I tried many methods are unable to achieve this goal, what plugins can be simple to achieve this demand, thank you very much!
winlogbeat original massage :
"_source": {
"event_data": {
"Workstation": "ad-test01",
"Status": "0x0",
"PackageName": "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0",
"TargetUserName": "test01"
},
......
},
target massage :
"_source": {
"Workstation": "ad-test01",
"Status": "0x0",
"PackageName": "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0,
"TargetUserName": "test01"
......
},
Thank you very much!