Hello,
My use case is to forward all nested fields (in this case events_*) to another system.
This is my current output
],
"level" => "Information",
"log_name" => "Security",
"record_number" => "132683773",
"event_data" => {
"ProcessName" => "-",
"LogonGuid" => "{.........}",
"LogonType" => "3",
"IpPort" => "59681",
"TransmittedServices" => "-",
"SubjectLogonId" => "0x0",
"KeyLength" => "0",
"LmPackageName" => "-",
"TargetLogonId" => ".....",
"SubjectUserName" => "-",
"WorkstationName" => "-",
"IpAddress" => "1.1.1.1",
"SubjectDomainName" => "-",
"ImpersonationLevel" => "%%1833",
"TargetUserName" => "abcdef",
"ProcessId" => "0x0",
"LogonProcessName" => "Kerberos",
"TargetDomainName" => "domain",
"SubjectUserSid" => "S-1-0-0",
"AuthenticationPackageName" => "Kerberos",
"TargetUserSid" => "......."
},
"message" => "An account was successfully logged on",
"type" => "wineventlog",
"opcode" => "Info",
"version" => 1,
"tags" => [
[0] "beats_input_codec_plain_applied"
],
Currently I create a new field with mutate-replace an put all fields that are needed into this field.
Since the number/name of nested fields in events_ can be dynamic I need to construct something like %{[event_data][*]} or %{[event_data][@]} but this does not work.
Does anyone has an idea about this?
Regards,
ddebast