I have a simple logastash.conf at the moment. I receive from winlogbeat and I store information in the Elasticsearch.
Now I'd like to add a new output to syslog. I'd like to send only the log of the administrator users to syslog.
How could implement this? I think the following 2 solutions
- Winlogbeat send information with the field that show the administrators users (at the moment I don't found a solution for this; I see the processor but it isn't possible to use a script to do discover of administrator of the system)
- Logstash receives information from winlogbeat and for any user check if the user is administrator of the system with a script code(I see that in logstash there is the ruby code that I could use)
Do you have other suggestion?