Hello,
Context:
I have some Windows clients and servers.
They have Sysmon, and log are sent with Winlogbeat to Logstash, then Logstash send it to Graylog with GELF type.
That works, but I have this:
Like you can see, the red arrow shows the field who I have, but how can I have the fields form the blue arrow? (Image, SourceIP, DestinationIP…)
Thank you.
Ok, Finally it’s ok ^^
1 system / Inputs
2 Manage extractors (on your input)
3 Get start
4 Load messages (an example of your logs)
5 On the part of you need click “Select extractor type” -> Regular Expression
So I have this:
Then I complete like this with: User:[\s]*([^\s]*)
And save:
So, I have:
Then, if we check:
Thank you 
if you would send the messages direct from winlogbeat to the beats input in Graylog you would not need the parsing … just to have it mention.
Thank for suggestion, I will try it.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
