Skip to content

Instantly share code, notes, and snippets.

@defensivedepth
Created December 21, 2018 17:14
Show Gist options
  • Save defensivedepth/39d97a43f001e5331c620d799bd89d33 to your computer and use it in GitHub Desktop.
Save defensivedepth/39d97a43f001e5331c620d799bd89d33 to your computer and use it in GitHub Desktop.
Logstash configuration snippet for Windows eventlogs shipped by the osquery table windows_events
filter {
json {
# Do the initial JSON parse
source => "message"
target => "osquery"
}
mutate {
# Remove the \\x0A
gsub => ["[osquery][columns][data]", "\\x0A", ""]
}
json {
# Parse the nested JSON now that it is valid
source => "[osquery][columns][data]"
target => "[osquery][columns][data]"
}
mutate {
# Move the nested JSON up a bit for a cleaner log
merge => { "[osquery][columns]" => "[osquery][columns][data]" }
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment