Ingest pipelines: logstash equivalent template for winlogbeat security


I've just found that there are Ingest Pipelines and I was wondering if there is an equivalent template for logstash or maybe if you know how to convert it to logstash format ?

It would be useful especially for the windows security logs :slight_smile:

e.g: The last processor of the winlogbeat security ingest pipeline is removing the field event.original, I know how to translate this action in logstash format but for the other processors its look difficult to find the equivalent.

Actually there is a tool ! Converting Ingest Node Pipelines | Logstash Reference [8.13] | Elastic

Sorry for my dumb question ! Next time i will RTFM ^^

True, but it looks like it hasn't been updated in four years, so I would not be surprised if it is unable to do the conversion on some (much?) of the functionality that has been added to ingest pipelines since then.

Yes I just saw that, especially that the Winlogbeat ingest pipelines has many scripts processors and the tool is unable to convert it.

Yep, it seems not to work I have an exception:

bin/ --input file:///usr/share/logstash/pipeline/winlogbeat/winlogbeat-8.13.2-security.json --output file:///usr/share/logstash/pipeline/winlogbeat/winlog-security-parser.conf
Exception in thread "main" java.lang.NullPointerException: Cannot invoke "" because "processors" is null
        at org.logstash.ingest.IngestPipeline.toLogstash(
        at org.logstash.ingest.JsUtil.convert(
        at org.logstash.ingest.Pipeline.main(

Hello, I found an alternative to convert the painless scripts which are difficult to me as I'm not a developer..

I used chatgpt to convert the painless script Kerberos Ticket Options from winlogbeat-security Ingest pipelines.

Here's the details, my questions are in french but you can translate, what's important is the result and it can convert easily to a logstash format :+1:

It even explain each steps on how it works ! the same method can be used to convert all other painless scripts

1 Like

Merci !

Thanks for sharing.