Hi, we are trying to exclude some line from our PDC Linux server, logging accesses in json format with filebeat .
We just need to log real users accesses, without any log related to workstations accounts.
For what we read we should use json_message.key, but the key/value we need is not in the top level of the json record, because we would like to exclude any record containing "$" (so workstations) and this in my example can be Authentication.becameAccount field, so under the Authentications "top" key
our log looks like this
{"timestamp": "2020-09-08T18:16:19.402301+0200", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 1}, "eventId": 4624, "logonType": 3, "status": "NT_STATUS_OK", "localAddress": null, "remoteAddress": "ipv4:192.168.2.119:52962", "serviceDescription": "Kerberos KDC", "authDescription": "ENC-TS Pre-authentication", "clientDomain": null, "clientAccount": "DBS-VODA-ALL$@CLOUD4U.IT", "workstation": null, "becameAccount": "DBS-VODA-ALL$", "becameDomain": "CLOUD4U", "becameSid": "S-1-5-21-2496643188-3631807185-13555695-1156", "mappedAccount": "DBS-VODA-ALL$", "mappedDomain": "CLOUD4U", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "aes256-cts-hmac-sha1-96", "duration": 3602}}
Our filebeat config (related to this specific part) is:
paths:
- /var/log/samba/log.samba
json.keys_under_root: true
json.add_error_key: true
json.message_key: Authentication.becameAccount (don't works!!)
exclude_lines: ['^.*[$].*$']
Is there any way to map this second level field inside a custom top level one? or any other suggestion on how to accomplish this task?
Thanks in advance