I am new to the elastic community and need a little help.
I implemented the ELK stack and I am indexing windows event logs with winlogbeat.
For demo purposes I turned on audit logging for file shares and I get all the data I need into elastic search, but now comes my problem.
To find for example deleted files you need to filter a special event_id, result is all events with a file delete operation.
Within this result ther are ids which point to the files (in sql a classical join). So I need another filter depending on the first one to get the files which have been deleted.
I studied all the documentation about nesting, parent, child but I am still confused about solving this.
There's not really a join operation in Elasticsearch or Kibana. But there might be a way to get what you need. I have winlogbeat installed on Windows Home version. If you give me a little direction for turning on the audit logging for file shares I could look at similar data as you.
Are you getting separate docs in Elasticsearch where some docs have the deleted file event_id and a file id, and other docs which the file id and file name? And if so, is it a 1 to 1 match?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.