Split "event_data" to only show the original field

peanut · March 14, 2017, 7:41pm

Good afternoon elastic community,

I posted this question on the Logstash section but I figured it would be helpful to get your Winlogbeat expertise too. Is it best practice to mutate all the fields with the "event_data" attached to it to its original data field name? If so, what is the easiest way to do it in a filter? I am forwarding native Windows events and also Sysmon Events. I am forwarding my logs with Winlogbeat 5.2.1 and my logstash configurations are the following:

02-beats-input.conf

input {
beats {
port => 5044
add_field => { "[@metadata][source]" => "winlogbeat" }
}

50-elasticsearch-output.conf

output {
if [@metadata][source] == "winlogbeat" {
elasticsearch {
hosts = ["localhost:9200"]
sniffing => true
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}
}

andrewkroh · March 16, 2017, 3:18pm

It's not clear what you are asking. Can you please clarify and maybe provide an example.

peanut · March 16, 2017, 10:46pm

Topic		Replies	Views
Split "event_data" to only show the original data field Logstash	3	1627	April 13, 2017
Drop "event_data." from data field Beats winlogbeat	7	2714	April 17, 2017
How to get the original message sent to logstash? Logstash	1	604	October 7, 2019
How to get the original log from winlogbeat? Logstash	1	295	October 14, 2019
Event_data.param# instead of the correct fields Beats winlogbeat	6	1430	October 4, 2018

Split "event_data" to only show the original field

Related topics