Parsing winlogbeat message field

Elastic Stack Beats
1

I am struggling a little bit with the learning curve of Elasticsearch; in the first instance I’d just like to index some specific Windows logs for our privilege management solution and graph out a few metrics.

I’ve got an Elastic stack running on Docker, configured Logstash and winlogbeat to get some data into elasticsearch okay. I’m struggling at the point where I need to break down the resulting table into something more meaningful. The event contents have been broken down into parameters as below. However I’m not sure how to rename these fields now and filter out any that I might not want to store:

1
1.png914×570 64.8 KB

2
2.png742×698 70.4 KB

I’ve tried putting the winlogbeat through logstash but the output seems to be the same. I’ve tried to find a solution in Elastic’s documentation but I’m not sure where to start!

2

You could use processors to rename or remove fields.

winlogbeat.event_logs:
- name: Application
  processors:
  - rename:
      when.equals.winlog.event_id: 2
      fields:
        - {from: winlog.event_data.param1, to: process.args}
        - {from: winlog.event_data.param2, to: process.pid}
  - drop_fields:
      when.equals.winlog.event_id: 2
      fields:
      - winlog.event_data.param30
3

Fantastic! Thank you :grin:

The University of Derby has a published policy regarding email and reserves the right to monitor email traffic.
If you believe this was sent to you in error, please reply to the sender and let them know.
Key University contacts: http://www.derby.ac.uk/its/contacts/

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.