Remove fields on windows event log

tharu85 · May 24, 2017, 4:56am

{
"message" => "The Windows Filtering Platform has permitted a connection......bla bla.....",
"@version" => "1",
"@timestamp" => "2017-05-24T03:38:00.775Z",
"type" => "wineventlog",
"task" => "Filtering Platform Connection",
"log_name" => "Security",
"event_data" => {
"ProcessID" => "860",
"DestAddress" => "192.168.1.1",
"FilterRTID" => "0",
"LayerName" => "%%14610",
"SourceAddress" => "224.0.0.0",
"Application" => "\device\harddiskvolume2\windows\system32\svchost.exe",
"SourcePort" => "5355",
"LayerRTID" => "44",
"DestPort" => "61014",
"RemoteMachineID" => "S-1-0-0",
"Direction" => "%%14592",
"Protocol" => "17",
"RemoteUserID" => "S-1-0-0"
},
"beat" => {
"name" => "web",
"hostname" => "web",
"version" => "5.4.0"
},
"record_number" => "709132556",
"version" => 1,
"process_id" => 4,
"opcode" => "Info",
"provider_guid" => "{54849625-5478-4994-A00A-3E3B0328C30D}",
"source_name" => "Microsoft-Windows-Security-Auditing",
"computer_name" => "web",
"event_id" => 5156,
"thread_id" => 2908,
"level" => "Information",
"keywords" => [
[0] "Audit Success"
],
"host" => "web",
"tags" => [
[0] "beats_input_codec_plain_applied"
]
}

I need to remove "beat" array and it should not appear in the log

"beat" => {
"name" => "web",
"hostname" => "web",
"version" => "5.4.0"
},

from log under filter mutate function. Following syntax doesn't work.

remove_field => [ "[beat]" ]
remove_field => [ "[beat][name]" ]
remove_field => [ "[beat][hostname]" ]
remove_field => [ "[beat][version]" ]

and also need to remove content of a filed, in below under tags there is "beats_input_codec_plain_applied" and I need to remove that content, not the filed.

"tags" => [
[0] "beats_input_codec_plain_applied"
]

So once it removed tags filed should blank.

Anyone who made changes under this scenario ?

xanadsonf · May 24, 2017, 8:20am

Concerning the first problem, you just need to remove beat field
mutate {
remove_field => "beat"
}

You can either remove it with:
filter {
if "beats_input_codec_plain_applied" in [tags] {
mutate {
remove_tag => ["beats_input_codec_plain_applied"]
}
}
}

Or use
tag_on_failure => []
in your grok filter

tharu85 · May 24, 2017, 9:19am

mutate {
remove_field => "beat"
}

if "beats_input_codec_plain_applied" in [tags] {
mutate {
remove_tag => ["beats_input_codec_plain_applied"]
}
}
}

doesn't work.

xanadsonf · May 24, 2017, 11:59am

What do you mean by "doesn't" work ?

There is an error thrown? The first one does not work as expected? The second one? Both?

tharu85 · May 24, 2017, 12:30pm

Both syntax that you are mentioned in previous post are not working. I have tested both syntax.

Toony · May 24, 2017, 1:19pm

Essaye ceci / Try this:

remove_field => [ "beat" ]

Ca devrait fonctionner mieux / It should work better

system · June 21, 2017, 1:19pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.