Windows file server files auditing - parsing logs

Hello everyone!

I've set up Windows logs for auditing a Windows file server. File access logs being generated OK. I've deployed a ELK stack in a VM. Configured Winlogbeats on Windows file server OK. Security logs are being received in Elasticsearch OK. Not using Logstash. All the info I need about files creation / modifying / delete are arriving on Elasticsearch sucessfully.

My problem is: the received logs don't discriminate user names and file names + path into specific fields. Some data is discriminated into proper fields, like agent.hostname, event.code and so on. But the filename and username are together with another info in a big string field on the logs, and I must extract these specific fields from this string data.

Once I have this data into specific fields, I can work with this data making filters and creating visualizations. Maybe using Logstash + some custom script?

Any hint on how I can customize these logs in the presented way would be welcome.

Thanks in advance!

Have you looked into setting up Elastic Agent to collect Windows logs?

With the "System" integration enabled with agent, these logs are automatically pulled, parsed, and enriched.