Hi Sir,
Can I use this like as being shown in the screenshot.
dissect {
mapping => {
"message" => "%{?winlog_header}
%{winlog_subject}
%{winlog_logon}
%{winlog_impersonation}
%{winlog_newlogon}
%{winlog_process}
%{winlog_network}
%{winlog_authentication}"
"winlog_subject" => "%{?subject_header}
%{winlog_eventdata_SubjectUserSid}
%{winlog_eventdata_SubjectUserName}
%{winlog_eventdata_SubjectDomainName}
%{winlog_eventdata_SubjectLogonId}"
"winlog_logon" => "%{?winlog_logon_header}
%{winlog_eventdata_LogonType}
%{?winlog_eventdata_RestrictedAdminMode}
%{?winlog_eventdata_VirtualAccount}
%{?winlog_eventdata_ElevatedToken}"
"winlog_newlogon" => "%{?newlogon_header}
%{winlog_eventdata_TargetUserSid}
%{winlog_eventdata_TargetUserName}
%{winlog_eventdata_TargetDomainName}
%{winlog_eventdata_TargetLogonId}
%{winlog_eventdata_LinkedLogonID}
%{?winlog_eventdata_NetworkAccountName}
%{winlog_eventdata_NetworkAccountDomain}
%{winlog_eventdata_TargetLogonGuid}"
"winlog_process" => "%{?process_header}
%{winlog_eventdata_ProcessId}
%{winlog_eventdata_ProcessName}"
"winlog_network" => "%{?network_header}
%{?winlog_eventdata_WorkstationName}
%{winlog_eventdata_IpAddress}
%{winlog_eventdata_IpPort}"
}
}#end_dissect