Replace field content

hi i*m trying to replace the field content , currently a number/integer to a field with letters. basically i want to change the logontype to something more understandable than just the number "2"

i first tried this as its close to an example if found here on the forum, but that example did not have an "."

filter {
if [source_name] == "Microsoft-Windows-Security-Auditing" {
if "[event_data.LogonType]" == "2" {
mutate {
replace => [ "[event_data.LogonType]", "interactive logon" ]
}
}

the one example below i was certain would work as i follows the form of a working replace statement. but no luck

filter {
if [source_name] == "Microsoft-Windows-Security-Auditing" {
if "[event_data.LogonType]" == "2" {
mutate {
replace => [ "[event_data][LogonType]", "interactive logon" ]
}
}

what am i missing here?

Hi, looking like the event_data.LogonType field is an int
Can you update the config to be:
if "[event_data.LogonType]" == 2 {

Note the without quotation marks.

if "[event_data.LogonType]" == "2" {

Use the same syntax for accessing subfield that you're using inside the mutate filter a few lines below. See Accessing event data and fields | Logstash Reference [8.11] | Elastic.

You may want to use the translate filter instead of a series of conditionals wrapping mutate filters.

input {
#winlogbeat
beats {
port => 5044
add_field => { "[@metadata][source]" => "winlogbeat"}

filter {
if [log_name] == "Security" or
[source_name] == "Microsoft-Windows-Security-Auditing"
{
if "[event_data.LogonType]" == 2 {
mutate {
replace => [ "[event_data.LogonType]" , "interactive logon" ]
}
}
if "[event_data.LogonType]" == 3 {
mutate {
replace => [ "[event_data.LogonType]" , "network logon" ]
}
}
if "[event_data.LogonType]" == 5 {
mutate {
replace => [ "[event_data.LogonType]" , "Service logon"]
}
}
if "[event_data.LogonType]" == 10 {
mutate {
replace => [ "[event_data.LogonType]" , "RemoteInteractive Logon" ]
}
}
if "[event_data.LogonType]" == 11 {
mutate {
replace => [ "[event_data.LogonType]" , "CachedInteractive (cached credentials)" ]
}
}
}

i get an ok on the config file

but the result is (still) this

{
"_index": "winlogbeat-2017.12.05",
"_type": "doc",
"_id": "rILFJWABCGwp9uhrjC0z",
"_version": 1,
"_score": null,
"_source": {
"process_id": 932,
"computer_name": "PC00805l",
"keywords": [
"Audit Success"
],
"log_name": "Security",
"level": "Information",
"record_number": "50641",
"event_data": {
"TargetLogonId": "0x830681",
"LogonType": "2", <- I want this to be "interactive logon" instead
"TargetUserName": "ssi",
"TargetDomainName": "DAC",
"TargetUserSid": "S-1-5-21-2007484102-1456041316-233718849-21738"
},
"message": "An account was logged off.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-2007484102-1456041316-233718849-21738\n\tAccount Name:\t\tssi\n\tAccount Domain:\t\tDAC\n\tLogon ID:\t\t0x830681\n\nLogon Type:\t\t\t2\n\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.",
"type": "wineventlog",
"opcode": "Info",
"tags": [
"beats_input_codec_plain_applied"
],
"thread_id": 7728,
"@timestamp": "2017-12-05T08:23:09.339Z",
"event_id": 4634,
"task": "Logoff",
"provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"@version": "1",
"beat": {
"name": "PC00805",
"hostname": "PC00805",
"version": "6.0.0"
},
"host": "PC00805",
"source_name": "Microsoft-Windows-Security-Auditing"
},
"fields": {
"@timestamp": [
"2017-12-05T08:23:09.339Z"
]
},
"sort": [
1512462189339
]
}

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.