Need help how to remove unwanted fields logstash

holpa · April 13, 2022, 10:32am

Please tell me how to remove unnecessary fields. Type: agent.ephemeral_id agent.id winlog.provider_guid

I tried, But kibana stops showing logs at all

drop_fields: fields: ["date_created", "ecs.version", "agent.version", "agent.type", "agent.id"]

I logstash have these configs: elk.conf:

input {
  beats {
    port => 5044
  }
}

filter {
    if "winsrvad" in [tags] {
    if [winlog][event_id] != "4776"{
	}
    }
}

output {
        elasticsearch {
            hosts => "localhost:9200"
            index => "winsrvad-%{+YYYY.MM.dd}"
            user => Logstash
            password => xxxxxxxx
    }
}

config winlogbeat:

winlogbeat.event_logs:
- name: ForwardedEvents
  forwarded: true

 # ignore_older: 72h

tags: ["winsrvad"]

output.logstash:
  hosts: ["10.10.0.1:5044"]

#logging.level: info
#logging.to_files: true
logging.files:
  path: C:\Program Files\winlogbeat

kibana or displays nothing or displays all event id

Cad · April 13, 2022, 1:08pm

Hi,

To remove a field, you can use the mutate filter in logstash.
Use it like this:

filter {
  mutate {
    remove_field => [ "date_created", "[ecs][version]", "[agent][version]", "[agent][type]", "[agent][id]" ]
  }
}

Cad.

system · May 11, 2022, 1:08pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.