Logstash - event id to name

Hi All,

Am trying to add another field in elasticsearch from the winlogbeat the event id to tier corresponding names but I couldn't execute it

filter {

 if "Security" in [log_name] {

  translate {

   dictionary => [ "4624", "Successful logon",

           "4647", "User initiated logoff",

           "4648", "Account login with Explicit Credentials" ]

   field => "[event_id]"

   destination => "[event_id][Name]"

   add_tag => ['Event_Name_translate']

   exact => false
    }
 }
}

Am getting this error .
[2018-03-29T14:03:42,298][ERROR][logstash.filters.translate] Something went wrong when attempting to translate from dictionary {:exception=>java.lang.ClassCastException, :field=>"[event_id]", :event=>#LogStash::Event:0x400fd3b8}

[2018-03-29T14:03:42,298][ERROR][logstash.filters.translate] Something went wrong when attempting to translate from dictionary {:exception=>java.lang.ClassCastException, :field=>"[event_id]", :event=>#LogStash::Event:0x4c8f06b9}

[2018-03-29T14:03:42,298][ERROR][logstash.filters.translate] Something went wrong when attempting to translate from dictionary {:exception=>java.lang.ClassCastException, :field=>"[event_id]", :event=>#LogStash::Event:0x4fc69633}

Please do help me to find it out

Thanks,
Raj

try field => [fields][event_id]

1 Like

Thank you now there is no error ,but there is no field added in elasticsearch and i refreshed the kibana fields ,still its not added.Am not sure what could be the problem.Even i receive couple of event ids 4624, 4647 etc..

This is incorrect. The way that Raj had done it earlier was the correct way.

Did you have a look at this thread? Might give you some idea. I have not used the translate often, but given that it is a dictionary, the syntax should ideally be [field_name][attribbute_name].

Also, if you could post the entire filter it would be helpful.

Do you need the field to be a nested field? Why can't you create a new field called event_id_name and use it instead?

Regards,
N

1 Like

Thank you for the reply,Actually am trying to recreate something like this , I have another filter which works fine

Working one

input {
  beats {
    port => 5044
  }
}

filter {
  if "AccessList" in [event_data] {
    translate {
      dictionary => [ '%%1537', "Delete",
                      '%%1538', "ReadControl",
                      '%%1539', "ReadControl",
                      '%%1805', "NotGranted" ]
      field => "[event_data][AccessList]"
      destination => "[event_data][Accesses]"
      add_tag => ['accesses_translate']
      exact => false
    }
  }
}

Non working one ,same input but different filter

filter {
  if "Security" in [log_name] {
    translate {
      dictionary => [ '4624', "Successful logon",
                      '4647', "User initiated logoff",
                       '4648', "Account login with Explicit Credentials" ]
      field => "[event_id]"
      destination => "[event_id][Name]"
      add_tag => ['Event_Name_translate']
      exact => false
    }
  }  
}

even tried with double quotes "4624" ,still same error

Thanks,
Raj

Please show us the event, either from output { stdout { codec => rubydebug } } or from the JSON tab in the Discover panel in Kibana.

Hi Badger,

This how it looks like

{
  
"_index": "winlogbeat-2018.04.02",
 
 "_type": "doc",
 
 "_id": "JdrxGLa3J",
 
 "_version": 1,
  
"_score": null,
 
 "_source": {
    "computer_name": "Det.k",
    "process_id": 540,
    "keywords": [
      "Audit Success"
    ],
    "log_name": "Security",
    "level": "Information",
    "record_number": "854127",
    "event_data": {
      "ProcessName": "-",
      "LogonGuid": "{000000-0000-0000-0000-000000000}",
      "LogonType": "3",
      "IpPort": "54579",
      "TransmittedServices": "-",
      "SubjectLogonId": "0x0",
      "KeyLength": "128",
      "LmPackageName": "NTLM V2",
      "TargetLogonId": "0x1028a",
      "SubjectUserName": "-",
      "WorkstationName": "V40",
      "IpAddress": "x.x.x.x",
      "SubjectDomainName": "-",
      "ProcessId": "0x0",
      "TargetUserName": "trnc",
      "TargetDomainName": "Vrf",
      "LogonProcessName": "NtL",
      "SubjectUserSid": "1-3-0-0",
      "TargetUserSid": "S-114293-160-60-257",
      "AuthenticationPackageName": "Neg"
    },
    "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-128-198-600-257\n\tAccount Name:\t\t\n\tAccount Domain:\t\tV\n\tLogon ID:\t\t0x118a\n\tLogon GUID:\t\t{00000000-0000-0000-0000-00000000}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t-AP0\n\tSource Network Address:\t10.11.29.143\n\tSource Port:\t\t54579\n\nDetailed Authentication Information:\n\tLogon Process:\t\tNtLmSsp \n\tAuthentication Package:\tNTLM\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\tNTLM V2\n\tKey Length:\t\t128\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.",
    "type": "wineventlog",
    "opcode": "Info",
    "tags": [
      "beats_input_codec_plain_applied"
    ],
    "thread_id": 42,
    "@timestamp": "2018-04-02T15:24:13.439Z",
    "event_id": 4624,
    "task": "Logon",
    "provider_guid": "{545-578-494-AA-3BC}",
    "@version": "1",
    "beat": {
      "name": "VC19",
      "hostname": "V19",
      "version": "6.0.1"
    },
    "host": "V9",
    "source_name": "Microsoft-Windows-Security-Auditing"
  },
  "fields": {
    "@timestamp": [
      "2018-04-02T15:24:13.439Z"
    ]
  },
  "sort": [
    1522682653439
  ]
}

Thanks,
Raj

Try changing
destination => "[event_id][Name]" ==> destination => "dummyName"

I am not that familiar with translate but destination something I used.

Thanks

Two problems

  1. The use of exact => false with a numeric field.
  2. Trying to create a field within a numeric field.

The following works

input { generator { message => '{ "event_id" : "1234624789" } ' count => 1 } }
output { stdout { codec => rubydebug } }
filter { json { source => "message" } }
filter {
  translate {

    dictionary => [ "4624", "Successful logon",
                    "4647", "User initiated logoff",
                    "4648", "Account login with Explicit Credentials" ]
    field => "[event_id]"
    destination => "[foo][Name]"
    add_tag => ['Event_Name_translate']
    exact => false
  }
}

and results in

           "foo" => {
        "Name" => "123Successful logon789"
    }

So choose a new destination and also either mutate+copy event_id to another field then mutate+convert it to a string, or remove exact => false.

1 Like

Hi Badger,

Thank you for the reply ,so do you mean this will work

filter {
  translate {
dictionary => [ "4624", "Successful logon",
                    "4647", "User initiated logoff",
                    "4648", "Account login with Explicit Credentials" ]
    field => "[event_id]"
    destination => "[Eventid][Name]"
    add_tag => ['Event_Name_translate']
  }
}

Thanks,
Raj

I believe so.

1 Like

Thank you for the reply, i will try it out

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.