Field matching based on lookup table
Tags:
#1
cmiscloni
Hi all,
Does Nxlog Enterprise has the possibility to request a table in order to convert some field ?
Like EventID 4624 on Windows and replace LogonType ID to a more readable string:
"2": "Interactive",
"3": "Network",
"4": "Batch",
"5": "Service",
"7": "Unlock",
"8": "NetworkCleartext",
"9": "NewCredentials",
"10": "RemoteInteractive",
"11": "CachedInteractive",
#1
cmiscloni
Hi all,
Does Nxlog Enterprise has the possibility to request a table in order to convert some field ?
Like EventID 4624 on Windows and replace LogonType ID to a more readable string:
"2": "Interactive",
"3": "Network",
"4": "Batch",
"5": "Service",
"7": "Unlock",
"8": "NetworkCleartext",
"9": "NewCredentials",
"10": "RemoteInteractive",
"11": "CachedInteractive",
Hello,
It's possible but you will need to write this table in your config.
We have `im_msvistalog` input module, it parses incoming messages and adding additional fields like `$LogonType`.
With it you could use simple if-else statement to check, what is this type, and add a new field or change already existing, depends on your needs.
Something like this:
```
if $LogonType == 2 $NewMessage = "Interactive";
else if $LogonType == 3 $NewMessage = "Network";
else if $LogonType == 4 $NewMessage = "Batch";
else if $LogonType == 5 $NewMessage = "Service";
```
Also you can parse the entire `$raw_message` using regex but it will take much more resources and I'm not is this makes any sense.
Let us know if this was useful you.
Best regards, Arch
