Hello, I am trying to find a way to remove the ECS mappings that defaults in winlogbeats and move to OCSF mapping. Anyone know where the logic for the ECS transformations lives or have a repo for winlogbeat that dose not contain ECS. Is there a switch to turn off ECS in winlogbeats?
The way I see it I can do this mapping 2 ways:
- Send Json raw wineventlogs to logstash and map there.
- Map the OCSF in winlogbeats and send transformed data into the pipeline.
I would prefer to use winlogbeats to do the transformations but do not know where to insert my logic.
Any help on this would be greatly appreciated.
One thing I do not want to do is map from ECS to OCSF as that is a waist of compute.