Hello everyone!
I've set up Windows logs for auditing a Windows file server. File access logs being generated OK. I've deployed a ELK stack in a VM. Configured Winlogbeats on Windows file server OK. Security logs are being received in Elasticsearch OK. Not using Logstash. All the info I need about files creation / modifying / delete are arriving on Elasticsearch sucessfully.
My problem is: the received logs don't discriminate user names and file names + path into specific fields. Some data is discriminated into proper fields, like agent.hostname, event.code and so on. But the filename and username are together with another info in a big string field on the logs, and I must extract these specific fields from this string data.
Once I have this data into specific fields, I can work with this data making filters and creating visualizations. Maybe using Logstash + some custom script?
Any hint on how I can customize these logs in the presented way would be welcome.
Thanks in advance!