filebeat.inputs:
- type: log
paths:- /path/to/your/logs/*.log
processors:
- /path/to/your/logs/*.log
- dissect:
tokenizer: “[%{date_time}] %{sessionid} [%{thread_name}] %{username} %{accountid} %{operation_all}”
field: “message”
target_prefix: “”
overwrite_keys: true - if:
equals:
operation_all: ‘LOGIN FROM %{ip_address}’
then:- dissect:
tokenizer: “%{operation} FROM %{ip_address}”
field: “operation_all”
target_prefix: “”
overwrite_keys: true
- dissect:
- else:
- dissect:
tokenizer: “%{operation} %{parameters}”
field: “operation_all”
target_prefix: “”
overwrite_keys: true
- dissect: