[Feature] Use winlogbeat processors to reduce unnecessary information in event logs

[tfriesen]

With current defaults, winlogbeat logs a great deal of superfluous information, such as the PID and TID of the winlogbeat process.

This creates log entries that are full of useless information, which consumes storage space, slows down searching/indexing, and generally makes analyzing the data less pleasant.

Recommend using winlogbeat processors to cut down on some unnecessary fields. I've added the following data to the top of my winlogbeat.yml with good results:

processors:
  - drop_fields:
      fields: ["agent.ephemeral_id","agent.id","agent.type","agent.version","ecs.version","event.kind","winlog.api","winlog.opcode","winlog.process.pid","winlog.process.thread.id","winlog.provider_guid","winlog.record_id","winlog.user.domain","winlog.user.identifier","winlog.user.name","winlog.user.type","winlog.version"]
      ignore_missing: true

Granted, my approach is a little ham-fisted, and some of the data I've excluded others might want to include. NB that winlog.user.name, etc refers to the user the winlogbeat process is running as, NOT to the user that generated the event, and so is always NT AUTHORITY/SYSTEM.

[tfriesen]

There is also duplicate information, like event.code and winlog.event_id which always seem to be the same, and one or the other could be excluded (not done in my example)

[duncan-ncc]

This sounds like a good idea and something we will look into in the future.

[duncan-ncc]

Closed due to project archive