I'm using nxlog to send logs from Windows eventlog to elasticsearch, and using Kibana view.

I'm getting all the message as it is in the 'Message' column, I want to re-order it so the hostname parameter will be the windows server (and not the elasticsearch server), add 'Type' to the messages, etc.

this is the configuration file of nxlog:

* server

<Extension json>
 Module xm_json

# Nxlog internal logs
<Input internal>
   Module im_internal
   Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000;
# Windows Event Log
<Input eventlog>
# Uncomment im_msvistalog for Windows Vista/2008 and later
   Module im_msvistalog
# Uncomment im_mseventlog for Windows XP/2000/2003
#   Module im_mseventlog
   Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000;
<Output out>
   Module om_http
   HTTPSAllowUntrusted    TRUE
<Route 1>
   Path internal, eventlog => out


this is an example message from kibana:


Field Action Value
@timestamp   2015-09-08T07:35:47.064Z
@version   1
_id   AU-r4dtqVULqkki94YkZ
_index   logstash-2015.09.08
_type   logs
http_port   5005

2015-09-08 07:35:43 dc-prod-zone-a.organization.com AUDIT_SUCCESS 4634 An account was logged off. Subject: Security ID: S-1-5-21-1595779987-1987268195-2987234418-1104 Account Name: DC-PROD-ZONE-C$ Account Domain: ORGANIZATION Logon ID: 0x679381 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.



Thanks a lot

AskedSeptember 8, 2015 - 9:44am

Answer (1)