/logstash-osquery-shipped-WEL.conf
Created Dec 21, 2018
Logstash configuration snippet for Windows eventlogs shipped by the osquery table windows_events
| filter { | |
| json { | |
| # Do the initial JSON parse | |
| source => "message" | |
| target => "osquery" | |
| } | |
| mutate { | |
| # Remove the \\x0A | |
| gsub => ["[osquery][columns][data]", "\\x0A", ""] | |
| } | |
| json { | |
| # Parse the nested JSON now that it is valid | |
| source => "[osquery][columns][data]" | |
| target => "[osquery][columns][data]" | |
| } | |
| mutate { | |
| # Move the nested JSON up a bit for a cleaner log | |
| merge => { "[osquery][columns]" => "[osquery][columns][data]" } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment