Join various WinLogBeat Windows Event Log events into one?

riahc3 · March 12, 2021, 1:44pm

Hello

Using WinLogBeat, Im collecting logs from Windows Event Logs and sending it to Logstash which then sends it to Elasticsearch. For all, working.

Issue is that I want to do something a bit more complex...

Lets say I have the following

ID DateTime User Data1 Data2 Data 3 sourceoflog
1 2021-03-12:14:01 auser 192.168.9.1security
2 2021-03-12:14:02 auser failed operation
3 2021-03-12:14:03 auser notfound application

As you can see, the common field would be "user"; Id like to join all this data and store it in one index, elimating somethings I dont want. For example, it would end up something like

DateTime User OutCome Reason Source
2021-03-12:14:01 auser notfound 192.168.9.1

As you can see, I have added various data together using a "primary key" as auser and then seperated it to a standalone index.

In SQL, it would be just looking against various tables but, I dont know how to do it here.

What would be the best way?

Badger · March 12, 2021, 3:52pm

Use an aggregate filter. Take a look at example 3. Make sure you understand the restrictions (pipeline.workers 1, pipeline.ordered).

riahc3 · March 15, 2021, 8:28am

Doesnt look to be that simple though

Cant seem to edit my post (beyond me) but one of the entries I need as "domain\auser" so I need to split that.

ID DateTime User Data1 Data2 Data 3 sourceoflog
1 2021-03-12:14:01 auser 192.168.9.1security
2 2021-03-12:14:02 domain\auser failed operation
3 2021-03-12:14:03 auser notfound application

Like so.

I dont quite understand example 3

riahc3 · March 18, 2021, 2:41pm

Any examples on how to do this?

system · April 15, 2021, 2:42pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.