input {
#winlogbeat
beats {
port => 5044
add_field => { "[@metadata][source]" => "winlogbeat"}
filter {
if [log_name] == "Security" or
[source_name] == "Microsoft-Windows-Security-Auditing"
{
if "[event_data.LogonType]" == 2 {
mutate {
replace => [ "[event_data.LogonType]" , "interactive logon" ]
}
}
if "[event_data.LogonType]" == 3 {
mutate {
replace => [ "[event_data.LogonType]" , "network logon" ]
}
}
if "[event_data.LogonType]" == 5 {
mutate {
replace => [ "[event_data.LogonType]" , "Service logon"]
}
}
if "[event_data.LogonType]" == 10 {
mutate {
replace => [ "[event_data.LogonType]" , "RemoteInteractive Logon" ]
}
}
if "[event_data.LogonType]" == 11 {
mutate {
replace => [ "[event_data.LogonType]" , "CachedInteractive (cached credentials)" ]
}
}
}
i get an ok on the config file
but the result is (still) this
{
"_index": "winlogbeat-2017.12.05",
"_type": "doc",
"_id": "rILFJWABCGwp9uhrjC0z",
"_version": 1,
"_score": null,
"_source": {
"process_id": 932,
"computer_name": "PC00805l",
"keywords": [
"Audit Success"
],
"log_name": "Security",
"level": "Information",
"record_number": "50641",
"event_data": {
"TargetLogonId": "0x830681",
"LogonType": "2", <- I want this to be "interactive logon" instead
"TargetUserName": "ssi",
"TargetDomainName": "DAC",
"TargetUserSid": "S-1-5-21-2007484102-1456041316-233718849-21738"
},
"message": "An account was logged off.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-2007484102-1456041316-233718849-21738\n\tAccount Name:\t\tssi\n\tAccount Domain:\t\tDAC\n\tLogon ID:\t\t0x830681\n\nLogon Type:\t\t\t2\n\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.",
"type": "wineventlog",
"opcode": "Info",
"tags": [
"beats_input_codec_plain_applied"
],
"thread_id": 7728,
"@timestamp": "2017-12-05T08:23:09.339Z",
"event_id": 4634,
"task": "Logoff",
"provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"@version": "1",
"beat": {
"name": "PC00805",
"hostname": "PC00805",
"version": "6.0.0"
},
"host": "PC00805",
"source_name": "Microsoft-Windows-Security-Auditing"
},
"fields": {
"@timestamp": [
"2017-12-05T08:23:09.339Z"
]
},
"sort": [
1512462189339
]
}