Hi,
I'm new to using ELK. I'm looking for some help to properly parse the EventData field from my windows logs. Here's an example event:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="XXXXXX" />
<EventID Qualifiers="0">20</EventID>
<Level>4</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2020-01-09T16:31:32.928992200Z" />
<EventRecordID>36567</EventRecordID>
<Channel>XXX-Log</Channel>
<Computer>XXX-XXX-XXX</Computer>
<Security />
</System>
<EventData>
<Data><SUI> <OU>XXX</OU> <UID>XXXXX</UID> <COMP>XXX-XXX-XXX</COMP> </SUI> <PDMessage> <Message>Some message</Message> <DateTime>00:00:05.5298444</DateTime> </PDMessage></Data>
</EventData>
</Event>
I'm using nxlog to ship the events from my system to Logstash. The nxlog conf is set to convert the event logs to json format and ship it out.
Is there a way on Logstash to properly extract the fields within EventData? EventData values differ for different events - it may have more/fewer tags within it.
Here's the Logstash config I'm using:
https://github.com/Security-Onion-Solutions/securityonion-elastic/blob/master/configfiles/6300_windows.conf
I'd really appreciate some help with this. Thanks!