Using exclude_lines with json logs

Hi, we are trying to exclude some line from our PDC Linux server, logging accesses in json format with filebeat .
We just need to log real users accesses, without any log related to workstations accounts.

For what we read we should use json_message.key, but the key/value we need is not in the top level of the json record, because we would like to exclude any record containing "$" (so workstations) and this in my example can be Authentication.becameAccount field, so under the Authentications "top" key
our log looks like this

{"timestamp": "2020-09-08T18:16:19.402301+0200", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 1}, "eventId": 4624, "logonType": 3, "status": "NT_STATUS_OK", "localAddress": null, "remoteAddress": "ipv4:", "serviceDescription": "Kerberos KDC", "authDescription": "ENC-TS Pre-authentication", "clientDomain": null, "clientAccount": "DBS-VODA-ALL$@CLOUD4U.IT", "workstation": null, "becameAccount": "DBS-VODA-ALL$", "becameDomain": "CLOUD4U", "becameSid": "S-1-5-21-2496643188-3631807185-13555695-1156", "mappedAccount": "DBS-VODA-ALL$", "mappedDomain": "CLOUD4U", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "aes256-cts-hmac-sha1-96", "duration": 3602}}

Our filebeat config (related to this specific part) is:

    - /var/log/samba/log.samba
  json.keys_under_root: true
  json.add_error_key: true
  json.message_key: Authentication.becameAccount (don't works!!)
  exclude_lines: ['^.*[$].*$']

Is there any way to map this second level field inside a custom top level one? or any other suggestion on how to accomplish this task?
Thanks in advance

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.