Split "event_data" to only show the original field

peanut · March 14, 2017, 7:41pm

Good afternoon elastic community,

I posted this question on the Logstash section but I figured it would be helpful to get your Winlogbeat expertise too. Is it best practice to mutate all the fields with the "event_data" attached to it to its original data field name? If so, what is the easiest way to do it in a filter? I am forwarding native Windows events and also Sysmon Events. I am forwarding my logs with Winlogbeat 5.2.1 and my logstash configurations are the following:

02-beats-input.conf

input {
beats {
port => 5044
add_field => { "[@metadata][source]" => "winlogbeat" }
}

50-elasticsearch-output.conf

output {
if [@metadata][source] == "winlogbeat" {
elasticsearch {
hosts = ["localhost:9200"]
sniffing => true
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}
}

andrewkroh · March 16, 2017, 3:18pm

It's not clear what you are asking. Can you please clarify and maybe provide an example.

peanut · March 16, 2017, 10:46pm

system · April 13, 2017, 10:46pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.