Hi,
I'm trying to send sysmon logs to kibana. I've managed to visualize Kibana. But the schema is not displayed properly. Therefore, I cannot filter. Would you help if I need to create a schema for sysmon in the Kibana section?
I use it as an ELK.
just a clarification that OP is @bilge, not me. It seems he's using my SOF-ELK VM, though.
1 Like
Ah thanks Phil, sorry for my mixup 
I am using nxlog. Does nxlog or winlogbeat matter?
Hi @bilge,
You can use either I just was trying to narrow down the source. I think you will need a template, from the examples I see forwarding logs to logstash.
https://nxlog.co/documentation/nxlog-user-guide/elasticsearch.html
Does this help?
Thanks,
Liza
I have an nxlog configuration file. I send logs directly to logstash. But I need a schema for sysmon logs. Need to edit logstash.conf? or where can I create a conf file in elk for sysmon?
Yes please do edit logstash.conf, it should reload with new pipeline automatically with your new changes.
1 Like
Here is some additional info from @yaauie :
Use the JSON Filter Plugin to parse the JSON-encoded value held in the event’s message field, either expanding it to top-level of the event or injecting the fields as sub-fields.
there are many template files. I wasn't sure which one I had to edit. Is the path to the logstash.conf file different in sof-elk vm? @philhagen
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.