Is it best practice to mutate all the fields with the "event_data" attached to it to its original data field name? If so, what is the easiest way to do it in a filter? I am forwarding native Windows events and also Sysmon Events. I am forwarding my logs with Winlogbeat 5.2.1 and my logstash configurations are the following:
I have been reading since I posted this two days ago and I found this post in this forum:
"The event_data.* fields are the raw data that was provided by the application that logged the event. This is included in the event published by Winlogbeat so that you don't have to grok the message field to extract data needed for other analysis you might want to do."
So all new data fields from, for example, Sysmon logs, have the event_data name at the beginning .
event_data.CommandLine
event_data.ProcessName
I was wondering if I could split that and only show the original Field name. For example, following the two examples that i provided, "CommandLine" & "ProcessName".
After a lot of reading, I think thats how Winlogbeat send the logs to Logstash and mutating.renaming logs will cause some performance issues . correct? Is it normal to leave the field names like that with event_data at the beginning? This is my first time working with winlogbeat and ELK. If so, then I dont have to do anything to them and work with them named that way.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.