Hi All,
I have a data that I like to ingest into the Graylog using fluent-bit. The following the Data:
{“timestamp”:“2023-10-01T20:36:53.079+0000”,“rule”:{“level”:3,“description”:“Windows User Logoff.”,“id”:“60137”,“firedtimes”:275,“mail”:false,“groups”:[“windows”,“windows_security”],“gdpr”:[“IV_32.2”],“hipaa”:[“164.312.b”],“nist_800_53”:[“AC.7”,“AU.14”],“pci_dss”:[“10.2.5”],“tsc”:[“CC6.8”,“CC7.2”,“CC7.3”]},“agent”:{“id”:“045”,“name”:“HOSTNAME”,“ip”:“10.6.57.51”},“manager”:{“name”:“OSHW01”},“id”:“1696192613.464067641”,“decoder”:{“name”:“windows_eventchannel”},“data”:{“win”:{“system”:{“providerName”:“Microsoft-Windows-Security-Auditing”,“providerGuid”:“{54849625-5478-4994-a5ba-3e3b0328c30d}”,“eventID”:“4634”,“version”:“0”,“level”:“0”,“task”:“12545”,“opcode”:“0”,“keywords”:“0x8020000000000000”,“systemTime”:“2023-10-01T20:36:52.075049500Z”,“eventRecordID”:“47135776”,“processID”:“664”,“threadID”:“2824”,“channel”:“Security”,“computer”:“8",“severityValue”:“AUDIT_SUCCESS”,“message”:""An account was logged off.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-281294383-1138842768-2788462225-1134\r\n\tAccount Name:\t\tgensvcadmin\r\n\tAccount Domain:\t\t\r\n\tLogon ID:\t\t0xBCC4EDEE\r\n\r\nLogon Type:\t\t\t3\r\n\r\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer."“},“eventdata”:{“targetUserSid”:“S-1-5-21-281294383-1138842768-2788462225-1134”,“targetUserName”:“gensvcadmin”,“targetDomainName”:”**”,“targetLogonId”:“0xbcc4edee”,“logonType”:“3”}}},“location”:“EventChannel”}
The Data is ok when I use the Extractor
The data is not represented correctly as the field that is agent.id is represented as agent_id. I need the index to be nested.
Any Suggestion can help?