Replace field Values Winlogbeat

Hey guys I can’t find a straight answer…
I want to replace the hex values from securitylog…

----- field----
winlogbeat_event_data_SubStatus
0xc000006a

the hexcodes have different meanings so if the value is 0xc000006a
I want to replace it with
wrong password

if the value is
0xc0000064
replace with
wrong username

0xc0000071
replace with
password expired

and so on. is there a way to do so?

Thanks for your help

you could create a text file that holds the data in a csv. That means you have a file that holds the keys and the replacements.

That file needs to be uploaded to all Graylog servers and you configure a lookup table with that data. After that you configure a processing pipeline that use the lookup table in your processing and replace the string.

Sounds good to go with… could you help me with this ? what columns do i need in the file?

Hey jan got it working thanks for the hint…
Can you maybe help out on another question i posted?