mguttula
March 9, 2021, 4:20pm
1
Logstash is sending winlogbeat fields to Spunk and when the fields don't exist it is send something like %{[winlog][event_data][AuthenticationPackageName]}
I am trying to find a way to either not send the field if it doesn't exist or at least send something like " - " for the fields that don't exist.
I tried the following scenario:
scenario 1:
filter {
if [agent][type] == "winlogbeat" {
mutate {
add_field => {
"Authentication_package" => "%{[winlog][event_data][AuthenticationPackageName]}"
"Error_Code" => "%{[winlog][event_data][ErrorCode]}"
}
add_tag => [ "winsplunk" ]
}
ruby {
init => "SplunkFields = ['[Authentication_package]','[Elevated_Token]']"
code => "
SplunkFields.each { |k, v|
if v.to_s.start_with?('%') || v =~ '%{['
event.set(k, 'hello')
end
}
"
}
}
}
Not sure how to get this work as there 15 or more fields sending to Splunk and 13 of the have "%{[" based on how many fields exists
scenario 2:
filter {
if [agent][type] == "winlogbeat" {
if ([winlog][event_data][AuthenticationPackageName]) {
mutate {
add_field => {
"Authentication_package" => "%{[winlog][event_data][AuthenticationPackageName]}"
}
}
} else {
mutate {
add_field => {
"Authentication_package" => " - "
}
}
}
}
The problem with this scenario is I have to repeat this approach for 15 fields
Badger
March 9, 2021, 4:27pm
2
If they are all top level fields then you can do this using a prune filter. Set blacklist_values to the default regexp for blacklist_names.
mguttula
March 9, 2021, 4:28pm
3
snippet of code in output section for Splunk where I could not check if fields have "%{["
http {
url => "https://localhost:8088/services/collector"
format => "json"
http_method => "post"
headers => ["Authorization", "Splunk 3axxxx-xxxxxxx"]
cacert => "/etc/logstash/certs/splunkcacert.pem"
mapping => {
"event" => {
"index" => "windows_os"
"time" => "%{[event][created]}"
"dvc" => "%{[host][name]}"
"Authentication_package" => "%{Authentication_package}"
"Error_Code" => "%{Error_Code}"
}
}
}
mguttula
March 9, 2021, 4:38pm
4
Below are some of the fields I adding in mutate plugin in filter section and sending these fields to Splunk in output section:
"Authentication_package" => "%{[winlog][event_data][AuthenticationPackageName]}"
"Elevated_Token" => "%{[winlog][event_data][ElevatedToken]}"
"Error_Code" => "%{[winlog][event_data][ErrorCode]}"
"Impersonation_Level" => "%{[winlog][event_data][ImpersonationLevel]}"
"Key_Length" => "%{[winlog][event_data][KeyLength]}"
"Linked_Logon_ID" => "%{[winlog][event_data][TargetLinkedLogonId]}"
"Logon_Process" => "%{[winlog][event_data][LogonProcessName]}"
"Logon_Type" => "%{[winlog][event_data][LogonType]}"
"Package_Name_NTLM_only" => "%{[winlog][event_data][LmPackageName]}"
"Restricted_Admin_Mode" => "%{[winlog][event_data][RestrictedAdminMode]}"
"Security_ID" => "%{[winlog][event_data][param26]}"
"Source_Network_Address" => "%{[winlog][event_data][IpAddress]}"
"Source_Port" => "%{[winlog][event_data][IpPort]}"
"Transmitted_Services" => "%{[winlog][event_data][TransmittedServices]}"
"Creator_process_ID" => "%{[winlog][event_data][ProcessId]}"
"Process_Command_Line" => "%{[process][command_line]}"
"Token_Elevation_Type" => "%{[winlog][event_data][TokenElevationType]}"
mguttula
March 9, 2021, 5:17pm
5
below code snippet is replacing fields starting with '%{[' to ' - '
code => "
SplunkFields.each { |k, v|
if event.get(k).start_with?('%{[')
event.set(k, ' - ')
end
}
"
But is this right way to send fields to Splunk? I wish I don't have to initialize in filter section if possible and don't even send the field to Splunk if it doesn't exist for a given message.
system
April 6, 2021, 5:17pm
6
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
