Not really sure where to put this question since it involves a lot of different parts of the stack....
I am currently ingesting windows event logs from a server --> logstash --> elasticsearch. I have modified my logstash pipeline and now need to reingest all the events that have been indexed in elasticsearch.
I initially started to use the scroll API to bulk export the events and then save the contents of the message field to be reingested using a file input. However, looking at the exported message field, it looks like this:
More information for the event entry with Instance ID 120a2df6-3bdd-43f5-a25d-252b58ca1969. There may be more events with the same Instance ID with more information.
Instance ID:
Caller identity:
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
Obviously, this is problematic because it's not on a single line. So I guess the question is, what's the data look like as it comes into Logstash from winlogbeat? Is there a way I can have these events reingested through Logstash?