If statement in winlogbeat configuration

msylvestre · August 8, 2023, 6:13pm

Hello,

I'm trying to add an IF statement in my winlogbeat configuration, but I can't figure out how. Basically I have a field named token that I need to changed based on the agent_name. What am I missing?

###################### Winlogbeat Configuration ##########################

winlogbeat.event_logs:
  - name: Application
    ignore_older: 720h
  - name: Security
    ignore_older: 720h
  - name: System
    ignore_older: 720h

fields:
  logzio_codec: json
  token: AAAAAAAAAAAAAAAAAAAAAAA
  type: wineventlog
fields_under_root: true

# processors:
# - if:
#       winlogbeat.agent:
#         name: "HOSTNAME"
#   then:
#       - replace:
#           fields:
#             token : BBBBBBBBBBBBBBBBB
#

#----------------------------- Logstash output -----------------------------
output.logstash:
  hosts: [ host:port ]
  ssl:
    certificate_authorities: [path]

Thank you,

Mathieu

andrewkroh · August 8, 2023, 6:37pm

These two examples are equivalent.

processors:
  - if:
      equals:
        agent.name: "HOSTNAME"
    then:
      - add_fields:
          target: ''
          fields:
            token: BBBBBBBBBBBBBBBBB

processors:
  - add_fields:
      when:
        equals:
          agent.name: "HOSTNAME"
      target: ''
      fields:
        token: BBBBBBBBBBBBBBBBB

msylvestre · August 8, 2023, 6:44pm

Thank you so much Andrew! Working like a charm!

Mathieu

system · September 5, 2023, 8:45pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.