Send event logs to pipeline based on event_id

tedfs · October 6, 2020, 2:37pm

Hi there. I am trying to send specific windows event logs to a pipeline based on event_id in my winlogbeat.yml config file. However, when the conditional is added to the config file, it appears to bypass the pipeline completely. The error logs seem to indicate that event_id is being seen as a non-string datatype, and that's why the when.contains fails

I'm running winlogbeat 6.8.10, as my ELK stack is part of a Security Onion setup.

Relevant config:

output.elasticsearch:
  hosts: ["hostname:9200"]
  pipelines:
    - pipeline: "mypipeline"
      when.contains:
        event_id: "1210"

And the error I'm seeing in the log:

2020-10-05T15:41:40.134-0700	WARN	conditions/matcher.go:97	unexpected type uint32 in contains condition as it accepts only strings.

I'm open to any options. The ultimate goal is to be able to send logs to various pipelines based on event_id.

Thanks!

andrewkroh · October 6, 2020, 7:36pm

How about using when.equals.event_id: 1210? I think the equality condition should work for numbers.

tedfs · October 6, 2020, 8:07pm

I will give it a try and update this post with the result. Thank you.

Also, if you don't mind, can you point me to where I can find more documentation about things like conditions that can be used in beats config files? I have been using this as a guide thus far: https://www.elastic.co/guide/en/beats/winlogbeat/6.8/elasticsearch-output.html

Thank you again.

tedfs · October 6, 2020, 8:46pm

That worked. Thank you!

andrewkroh · October 6, 2020, 8:58pm

Docs for processors and conditions are at https://www.elastic.co/guide/en/beats/winlogbeat/current/defining-processors.html. Choose your version on the right hand side dropdown menu.

tedfs · October 7, 2020, 2:12pm

Thank you!

system · November 4, 2020, 4:12pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.