Parsing winlogbeat message field

lwilliams · June 21, 2019, 12:41pm

I am struggling a little bit with the learning curve of Elasticsearch; in the first instance I’d just like to index some specific Windows logs for our privilege management solution and graph out a few metrics.

I’ve got an Elastic stack running on Docker, configured Logstash and winlogbeat to get some data into elasticsearch okay. I’m struggling at the point where I need to break down the resulting table into something more meaningful. The event contents have been broken down into parameters as below. However I’m not sure how to rename these fields now and filter out any that I might not want to store:

I’ve tried putting the winlogbeat through logstash but the output seems to be the same. I’ve tried to find a solution in Elastic’s documentation but I’m not sure where to start!

andrewkroh · June 21, 2019, 4:07pm

You could use processors to rename or remove fields.

winlogbeat.event_logs:
- name: Application
  processors:
  - rename:
      when.equals.winlog.event_id: 2
      fields:
        - {from: winlog.event_data.param1, to: process.args}
        - {from: winlog.event_data.param2, to: process.pid}
  - drop_fields:
      when.equals.winlog.event_id: 2
      fields:
      - winlog.event_data.param30

lwilliams · June 22, 2019, 2:26pm

Fantastic! Thank you

The University of Derby has a published policy regarding email and reserves the right to monitor email traffic.
If you believe this was sent to you in error, please reply to the sender and let them know.
Key University contacts: http://www.derby.ac.uk/its/contacts/

system · July 20, 2019, 2:26pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.