Join various WinLogBeat Windows Event Log events into one?

Hello

Using WinLogBeat, Im collecting logs from Windows Event Logs and sending it to Logstash which then sends it to Elasticsearch. For all, working.

Issue is that I want to do something a bit more complex...

Lets say I have the following

ID DateTime User Data1 Data2 Data 3 sourceoflog
1 2021-03-12:14:01 auser 192.168.9.1security
2 2021-03-12:14:02 auser failed operation
3 2021-03-12:14:03 auser notfound application

As you can see, the common field would be "user"; Id like to join all this data and store it in one index, elimating somethings I dont want. For example, it would end up something like

DateTime User OutCome Reason Source
2021-03-12:14:01 auser notfound 192.168.9.1

As you can see, I have added various data together using a "primary key" as auser and then seperated it to a standalone index.

In SQL, it would be just looking against various tables but, I dont know how to do it here.

What would be the best way?

Use an aggregate filter. Take a look at example 3. Make sure you understand the restrictions (pipeline.workers 1, pipeline.ordered).

Doesnt look to be that simple though

Cant seem to edit my post (beyond me) but one of the entries I need as "domain\auser" so I need to split that.

ID DateTime User Data1 Data2 Data 3 sourceoflog
1 2021-03-12:14:01 auser 192.168.9.1security
2 2021-03-12:14:02 domain\auser failed operation
3 2021-03-12:14:03 auser notfound application

Like so.

I dont quite understand example 3

Any examples on how to do this?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.