WinlogBeat shipping custom event log to ES, Parsing woes

Hey gang.. Some of our devs have been working on Application API's and are using windows events to store errors and audits and the like.
I have winlogbeat picking up these events and shipping them into the winlogbeat-* index but I do not know how to break out the fields as they are not being shipped as json. Everything is in .param1 and is pretty hard to search on reliably.

We have two event.providers in the log I'm tinkering with now. Log and Audit. the types are as such:
` Log

        /// Unique ID for the log event.
        public Guid Identifier { get; set; }
        
        /// Type of action or event being logged (i.e. Rating, Quoting, Submission, etc).    
        public object IdentifierType { get; set; }
        
        /// Name of the application that is sending the request to log.        
        public string ApplicationName { get; set; }
        
        /// Severity of the event being logged.
        public SeverityLevel Severity { get; set; }
        
        /// Granular action or event describing why (or what place in code) the event is being logged. 
        public string LogType { get; set; }
        
        /// Name of the event or action being logged. 
        public string Name { get; set; }
        
        /// Description of the circumstances for the log. 
        public string Description { get; set; }
        
        /// Stack trace for any errors being logged, if applicable. 
        public string FullStackTrace { get; set; }
        
        /// Date and time when the log was created.
        public DateTime AuditCreatedDate { get; set; } = DateTime.Now;

Audit

        /// Unique ID for the audit. 
        public Guid Identifier { get; set; }
        
        /// Type of action, event, or audit being logged. 
        public object IdentifierType { get; set; }
        
        /// Name of the application that is sending the request to log. 
        public string ApplicationName { get; set; }
        
        /// ID of the user taking the action being audited. 
        public string UserID { get; set; }
        
        /// IP Address where the action is occurring. 
        public string IPAddress { get; set; }
        
        /// The action being taken. 
        public string Operation { get; set; }
        
        /// ID of the request (used for tracking). 
        public object RequestID { get; set; }
`

I am under the impression that this may require a custom .js module? or do I need to somehow send it through logstash and a grok processor to get it massaged the way I need it?
I'm sure Im not the first person that's been stumped like this, but I can't find anything from a-z to help me to get this done.
Thanks.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.