Page 1 of 1
Windows EventLogs indexing
Posted: Mon Apr 20, 2020 5:13 am
by mgsteiner
Hi all,
When my nagios log server received the eventLogs messages from windows servers is indexing them using the receiving @timestamp value.
Now, I would like to use the EventTime value from the eventlog to do the indexing and also to replace the value of @timestamp.
how can I do that?
Thanks a lot in advance
Rgds
Max
Re: Windows EventLogs indexing
Posted: Mon Apr 20, 2020 9:39 am
by cdienger
The date filter(
https://www.elastic.co/guide/en/logstas ... date.html) can be used to update the @timestamp field with the value from another field. The below will try to match the event time and if it matches it will replace @timestamp with the value in EventTime:
Code: Select all
date{
match => ["EventTime", "yyyy-MM-dd HH:mm:"
}
Re: Windows EventLogs indexing
Posted: Fri Apr 24, 2020 2:16 am
by mgsteiner
After applying the following filter for eventlog, our NLS is now able to process all the events coming from servers around the world with the proper @timestamp , which is based on EventTime instead of ReceivedEventTime:
if ([type] == "eventlog" and "" in [EventTime]) {
date {
match => [ "EventTime", "yyyy-MM-dd HH:mm:ss" ]
}
}
Thanks a lot for your help.
Best Regards
Max
Re: Windows EventLogs indexing
Posted: Fri Apr 24, 2020 7:31 am
by scottwilkerson
mgsteiner wrote:After applying the following filter for eventlog, our NLS is now able to process all the events coming from servers around the world with the proper @timestamp , which is based on EventTime instead of ReceivedEventTime:
if ([type] == "eventlog" and "" in [EventTime]) {
date {
match => [ "EventTime", "yyyy-MM-dd HH:mm:ss" ]
}
}
Thanks a lot for your help.
Best Regards
Max
Great!
Locking thread