I am struggling a little bit with the learning curve of Elasticsearch; in the first instance I’d just like to index some specific Windows logs for our privilege management solution and graph out a few metrics.
I’ve got an Elastic stack running on Docker, configured Logstash and winlogbeat to get some data into elasticsearch okay. I’m struggling at the point where I need to break down the resulting table into something more meaningful. The event contents have been broken down into parameters as below. However I’m not sure how to rename these fields now and filter out any that I might not want to store:
I’ve tried putting the winlogbeat through logstash but the output seems to be the same. I’ve tried to find a solution in Elastic’s documentation but I’m not sure where to start!