Hi all,
When my nagios log server received the eventLogs messages from windows servers is indexing them using the receiving @timestamp value.
Now, I would like to use the EventTime value from the eventlog to do the indexing and also to replace the value of @timestamp.
how can I do that?
Thanks a lot in advance
Rgds
Max
Windows EventLogs indexing
Re: Windows EventLogs indexing
The date filter(https://www.elastic.co/guide/en/logstas ... date.html) can be used to update the @timestamp field with the value from another field. The below will try to match the event time and if it matches it will replace @timestamp with the value in EventTime:
Code: Select all
date{
match => ["EventTime", "yyyy-MM-dd HH:mm:"
}As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Re: Windows EventLogs indexing
After applying the following filter for eventlog, our NLS is now able to process all the events coming from servers around the world with the proper @timestamp , which is based on EventTime instead of ReceivedEventTime:
if ([type] == "eventlog" and "" in [EventTime]) {
date {
match => [ "EventTime", "yyyy-MM-dd HH:mm:ss" ]
}
}
Thanks a lot for your help.
Best Regards
Max
if ([type] == "eventlog" and "" in [EventTime]) {
date {
match => [ "EventTime", "yyyy-MM-dd HH:mm:ss" ]
}
}
Thanks a lot for your help.
Best Regards
Max
-
scottwilkerson
- DevOps Engineer
- Posts: 19396
- Joined: Tue Nov 15, 2011 3:11 pm
- Location: Nagios Enterprises
- Contact:
Re: Windows EventLogs indexing
Great!mgsteiner wrote:After applying the following filter for eventlog, our NLS is now able to process all the events coming from servers around the world with the proper @timestamp , which is based on EventTime instead of ReceivedEventTime:
if ([type] == "eventlog" and "" in [EventTime]) {
date {
match => [ "EventTime", "yyyy-MM-dd HH:mm:ss" ]
}
}
Thanks a lot for your help.
Best Regards
Max
Locking thread