Hi,
maybe this will be stupid question, but i would like to rename build in JSON fields and little change structure of JSON path schema. If will be possibilities to do that on winlogbeat instead of logstash
it would be better for me, but it is not a necessity.
one more time I apologize maybe for a stupid question, but I've been trying different options for two days, but I can't figure out if it's possible.
Winlogbeat configuration:
winlogbeat.event_logs:
- name: Application
ignore_older: 72h
- name: Security
- name: System
output.logstash:
hosts: ["10.10.10.10:5044"]
JSON format of event logs (output logstash):
{
"winlog":{
"record_id":233841,
"computer_name":"win_template.nxlog.matej",
"api":"wineventlog",
"provider_name":"Microsoft-Windows-Security-Auditing",
"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}",
"event_data":{
"LogonType":"3",
"TargetLogonId":"0x25e8d3bb",
"TargetUserName":"WIN_TEMPLATE$",
"TargetDomainName":"NXLOG",
"TargetUserSid":"S-1-5-18"},
"task":"Logoff",
"event_id":4634,
"process":{
"thread":{
"id":7584},
"pid":644},
"keywords":[
"Audit Success"],
"opcode":"Info",
"channel":"Security"},
"@version":"1",
"agent":{
"ephemeral_id":"a8ad981b-d6f8-4179-935d-d2f6936cdace",
"id":"4db0027b-ee74-425a-888c-ffe4fc1430b5",
"hostname":"win_template",
"version":"7.1.1",
"type":"winlogbeat"},
"event":{
"code":4634,
"created":"2019-07-03T08:30:25.691Z",
"action":"Logoff",
"kind":"event"},
"tags":[],
"@timestamp":"2019-07-03T08:30:24.457Z",
"host":{
"name":"win_template"},
"message":"An account was logged off.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN_TEMPLATE$\n\tAccount Domain:\t\tNXLOG\n\tLogon ID:\t\t0x25E8D3BB\n\nLogon Type:\t\t\t3\n\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.",
"log":{
"level":"information"},
"ecs":{
"version":"1.0.0"}
}
I'd like it to look something like this:
{
"msg":{
"record_id":233841,
"computer_name":"win_template.nxlog.matej",
"api":"wineventlog",
"provider_name":"Microsoft-Windows-Security-Auditing",
"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}",
"LogonType":"3",
"TargetLogonId":"0x25e8d3bb",
"TargetUserName":"WIN_TEMPLATE$",
"TargetDomainName":"NXLOG",
"TargetUserSid":"S-1-5-18",
"task":"Logoff",
"event_id":4634,
"process":{
"thread":{
"id":7584},
"pid":644},
"keywords":[
"Audit Success"],
"opcode":"Info",
"channel":"Security"},
"@version":"1",
"meta":{
"ephemeral_id":"a8ad981b-d6f8-4179-935d-d2f6936cdace",
"id":"4db0027b-ee74-425a-888c-ffe4fc1430b5",
"hostname":"win_template",
"version":"7.1.1",
"type":"winlogbeat",
"host":{
"name":"win_template"},
"tags":[]},
"@timestamp":"2019-07-03T08:30:24.457Z",
"message":"An account was logged off.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN_TEMPLATE$\n\tAccount Domain:\t\tNXLOG\n\tLogon ID:\t\t0x25E8D3BB\n\nLogon Type:\t\t\t3\n\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.",
"log":{
"level":"information"},
"ecs":{
"version":"1.0.0"}
}
Thanks for any answers.