Winlogbeat mapping to OCSF

Zachary_Schmerber · May 16, 2023, 9:03pm

Hello, I am trying to find a way to remove the ECS mappings that defaults in winlogbeats and move to OCSF mapping. Anyone know where the logic for the ECS transformations lives or have a repo for winlogbeat that dose not contain ECS. Is there a switch to turn off ECS in winlogbeats?

The way I see it I can do this mapping 2 ways:

Send Json raw wineventlogs to logstash and map there.
Map the OCSF in winlogbeats and send transformed data into the pipeline.

I would prefer to use winlogbeats to do the transformations but do not know where to insert my logic.

Any help on this would be greatly appreciated.
One thing I do not want to do is map from ECS to OCSF as that is a waist of compute.

#elastic-stack:beats and #elastic-stack:logstash.

system · June 13, 2023, 9:04pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Mapping Winlogbeat old version to newest ECS Beats ecs-elastic-common-schema , winlogbeat	3	736	June 14, 2021
Logstash to ECS Logstash ecs-elastic-common-schema	5	2910	September 10, 2019
Active Directory logs and mapping to ECS (I am stumped) SIEM ecs-elastic-common-schema	7	7984	November 11, 2019
Winlogbeat and ECS Beats winlogbeat	8	2010	October 30, 2018
Elastic Common Schema Implementation Elasticsearch ecs-elastic-common-schema	5	2815	March 14, 2019

Winlogbeat mapping to OCSF

Related topics