Output email don´t add % fields

Txurrispo · July 1, 2020, 7:11am

Hi all.

I´m using a basic ELK stack to pharse windows DC event logs (winbeats) and send email (sendmail) to our Ticket system. When user is created, blocked, changed password etc....

All works.
But i see in the documentation, that i can put (for example) in the subjet a field of logstash that include the username or the message complete. Using % before the name of the field.

Example

Mi elasticsearch have this value:

winlog.event_data.TargetUserName = johndoe
message = An attempt was made to reset an account's password. Subject:......

My logstash (that works is this)

  beats{
        port => "5044"
  }
}

output{
  elasticsearch {
        hosts => ["127.0.0.1:9200"]
        index => "%{[@metadata][beat]}-%{+YYYY-MM-dd}"
  }
	    if [event][code] == 4724 {
        email {
        from => "email@domain.com"
        to => "email2@domain.com"
        subject => "ALERT Reset Password from a Privileged Admin, User %{winlog.event_data.TargetUserName}"
        body => "Message is: \n'%{message}'. \n"
        via => "sendmail"
                        }
                }


}

But %{message} and %{winlog.event_data.TargetUserName} apperas as is . not with the data jondhoe or the complet message.

Could you help me?
Thanks
Regards.

logger · July 1, 2020, 7:30am

Hi,

I think if you use the single quotes in the body then it will be seen as a string.
body => "Message is: \n %{message}. \n"

and nested fields need to be used like this:
%{[winlog][event_data][TargetUserName]}

I hope this helps

Txurrispo · July 1, 2020, 8:28am

Works booth!!!!

Thank You!!!!!!

system · July 29, 2020, 8:28am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.