Translate GUID
editTranslate GUID
editThe translate_ldap_attribute
processor translates an LDAP attributes between eachother.
It is typically used to translate AD Global Unique Identifiers (GUID)
into their common names.
Every object on an Active Directory or an LDAP server is issued a GUID. Internal processes refer to their GUID’s rather than the object’s name and these values sometimes appear in logs.
If the search attribute is invalid (malformed) or does not map to any object on the domain
then this will result in the processor returning an error unless ignore_failure
is set.
The result of this operation is an array of values, given that a single attribute can hold multiple values.
Note: the search attribute is expected to map to a single object. If it doesn’t, no error will be returned, but only results of the first entry will be added to the event.
processors: - translate_ldap_attribute: field: winlog.event_data.ObjectGuid ldap_address: "ldap://" ldap_base_dn: "dc=example,dc=com" ignore_missing: true ignore_failure: true
The translate_ldap_attribute
processor has the following configuration settings:
Table 7. Translate GUID options
Name | Required | Default | Description |
---|---|---|---|
|
yes |
Source field containing a GUID. |
|
|
no |
Target field for the mapped attribute value. If not set it will be replaced in place. |
|
|
yes |
LDAP server address. eg: |
|
|
yes |
LDAP base DN. eg: |
|
|
no |
LDAP user. |
|
|
no |
LDAP password. |
|
|
yes |
|
LDAP attribute to search by. |
|
yes |
|
LDAP attribute to map to. |
|
no |
30 |
LDAP search time limit in seconds. |
|
no |
30 |
LDAP TLS/SSL connection settings. |
|
no |
false |
Ignore errors when the source field is missing. |
|
no |
false |
Ignore all errors produced by the processor. |
* Also see SSL for a full description of the ldap_ssl
options.
If the searches are slow or you expect a high amount of different key attributes to be found, consider using a cache processor to speed processing:
processors: - cache: backend: memory: id: ldapguids get: key_field: winlog.event_data.ObjectGuid target_field: winlog.common_name ignore_missing: true - if: not: - has_fields: winlog.common_name then: - translate_ldap_attribute: field: winlog.event_data.ObjectGuid target_field: winlog.common_name ldap_address: "ldap://" ldap_base_dn: "dc=example,dc=com" - cache: backend: memory: id: ldapguids capacity: 10000 put: key_field: winlog.event_data.ObjectGuid value_field: winlog.common_name