Hi all.
I´m using a basic ELK stack to pharse windows DC event logs (winbeats) and send email (sendmail) to our Ticket system. When user is created, blocked, changed password etc....
All works.
But i see in the documentation, that i can put (for example) in the subjet a field of logstash that include the username or the message complete. Using % before the name of the field.
Example
Mi elasticsearch have this value:
winlog.event_data.TargetUserName = johndoe
message = An attempt was made to reset an account's password. Subject:......
My logstash (that works is this)
beats{
port => "5044"
}
}
output{
elasticsearch {
hosts => ["127.0.0.1:9200"]
index => "%{[@metadata][beat]}-%{+YYYY-MM-dd}"
}
if [event][code] == 4724 {
email {
from => "email@domain.com"
to => "email2@domain.com"
subject => "ALERT Reset Password from a Privileged Admin, User %{winlog.event_data.TargetUserName}"
body => "Message is: \n'%{message}'. \n"
via => "sendmail"
}
}
}
But %{message} and %{winlog.event_data.TargetUserName} apperas as is . not with the data jondhoe or the complet message.
Could you help me?
Thanks
Regards.