Hi,
I do not know how to solve a problem .. I try to explain ... I have centralized logs on AWS CloudWatch and I send these logs to an instance of elasticsearch through Lambda function.
I create a newspaper index for each log.
only that on elasticsearch it creates me only 16 fields (@id
id.keyword
log_group
log_group.keyword
log_stream
log_stream.keyword
message
message.keyword
owner
owner.keyword
timestamp
_id
_index
_score
_source
_type
) and the record of the log inside the fields (@message). and with only these 16 fields I can not create correct views.
for example if I collect the active directory logs from cloudwatch I will find all the log records in the @message field and I can not separate the windows eventid.
I know that you should use winlogon beats to collect the logs correctly but since I already have the logs in the cloudwatch I preferred to use it.
is there a solution?
can someone help me?
Thanks a lot