We are using Winlogbeat to collect Event logs but rather than pull the data out of the winlog field, I want to move all the contents into the root field, which will help me automatically generate the fields I need.
processors:
- decode_json_fields:
fields: ["winlog"]
process_array: false
max_depth: 1
target: ""
overwrite_keys: true
add_error_key: false
winlogbeat.event_logs:
- name: Security
I've tried making the processors global as the above winlogbeat.yml, and moving it into the module. In both cases, it seems like the processor is completely ignored. Expected output is something like:
{
"@timestamp": "2022-06-14T13:41:01.532Z",
"@metadata": {
"beat": "winlogbeat",
"type": "_doc",
"version": "7.17.1"
},
"host": {
"name": "xxxxx"
},
"ecs": {
"version": "1.12.0"
},
"agent": {
"hostname": "xxxxx",
"ephemeral_id": "xxx-xxx-xxx",
"id": "xxx-xxx-xxx",
"name": "xxxxx",
"type": "winlogbeat",
"version": "7.17.1"
"channel": "Security",
"record_id": 12345,
"provider_guid": "{xxx-xxx-xxx}",
"api": "wineventlog",
"computer_name": "xxxxx",
"process": {
"pid": 123,
"thread": {
"id": 1234
}
},
"provider_name": "Microsoft-Windows-Security-Auditing",
"keywords": [
"Audit Success"
],
"opcode": "Info",
"task": "Logoff",
"event_data": {
"TargetUserName": "xxxxx$",
"TargetDomainName": "xxxxx",
"TargetLogonId": "xxxxxx",
"LogonType": "3",
"TargetUserSid": "S-1-5-18"
},
"event_id": "4634"
},
"event": {
"code": "4634",
"kind": "event",
"provider": "Microsoft-Windows-Security-Auditing",
"outcome": "success",
"action": "Logoff",
"created": "2022-06-14T13:41:03.201Z"
},
"log": {
"level": "information"
}}
I found the answer eventually. The field that
json_decode_fieldtakes has to be a string. I was able to get it working by converting the field to a string beforejson_decode_field.