Replace field Values Winlogbeat

xxstyler20xx · November 30, 2019, 11:56am

Hey guys I can’t find a straight answer…
I want to replace the hex values from securitylog…

----- field----
winlogbeat_event_data_SubStatus
0xc000006a

the hexcodes have different meanings so if the value is 0xc000006a
I want to replace it with
wrong password

if the value is
0xc0000064
replace with
wrong username

0xc0000071
replace with
password expired

and so on. is there a way to do so?

Thanks for your help

jan · November 30, 2019, 9:02pm

you could create a text file that holds the data in a csv. That means you have a file that holds the keys and the replacements.

That file needs to be uploaded to all Graylog servers and you configure a lookup table with that data. After that you configure a processing pipeline that use the lookup table in your processing and replace the string.

xxstyler20xx · November 30, 2019, 6:34pm

Sounds good to go with… could you help me with this ? what columns do i need in the file?

xxstyler20xx · November 30, 2019, 8:46pm

Hey jan got it working thanks for the hint…
Can you maybe help out on another question i posted?

Replace field Values Winlogbeat

----- field---- winlogbeat_event_data_SubStatus 0xc000006a

----- field----
winlogbeat_event_data_SubStatus
0xc000006a