Logstash_KVFilter

Raj_Kumar · December 12, 2019, 9:45am

Hi There,

Am trying to split the fileds and values of this field

winlog.event_data.RuleName: technique_id=T1036,technique_name=Masquerading

in two other separate fields where I can have technique id separately and technique name separately

filter {
if "winlogbeat" in [tags] and [log_name] == "Microsoft-Windows-Sysmon/Operational" {
kv { source => "[winlog][event_data][RuleName]" target => "[winlog][event_data][RuleName]" field_split => "," }
}
}

Could you please tell me what error am I making , I could'nt split these

Raj_Kumar · December 13, 2019, 9:26am

any help please ?

ahmedmusaad · January 2, 2020, 2:56pm

Hi Raj,

There a couple of things you need to change in your filter syntax to achieve the results you are looking for, try replacing your filter with this following one:

filter {
if ([winlog][channel] == "Microsoft-Windows-Sysmon/Operational") {
    if ([winlog][event_data][RuleName]) {
        kv {
            source => "[winlog][event_data][RuleName]"
            field_split => ","
            value_split => "="
            prefix => "mitre_"
            transform_key => "lowercase"
        }
    }
}
}

I have tested the filter above and it works, you will get the new fields with the information from the RuleName field. Feel feel to share any questions or thoughts.

system · January 30, 2020, 2:56pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.