- Heartbeat Reference: other versions:
- Heartbeat overview
- Quick start: installation and configuration
- Set up and run
- Configure
- Monitors
- Task scheduler
- General settings
- Project paths
- Output
- Kerberos
- SSL
- Index lifecycle management (ILM)
- Elasticsearch index template
- Processors
- Define processors
- add_cloud_metadata
- add_cloudfoundry_metadata
- add_docker_metadata
- add_fields
- add_host_metadata
- add_id
- add_kubernetes_metadata
- add_labels
- add_locale
- add_network_direction
- add_nomad_metadata
- add_observer_metadata
- add_process_metadata
- add_tags
- append
- community_id
- convert
- copy_fields
- decode_base64_field
- decode_duration
- decode_json_fields
- decode_xml
- decode_xml_wineventlog
- decompress_gzip_field
- detect_mime_type
- dissect
- dns
- drop_event
- drop_fields
- extract_array
- fingerprint
- include_fields
- move_fields
- rate_limit
- registered_domain
- rename
- replace
- script
- syslog
- translate_ldap_attribute
- translate_sid
- truncate_fields
- urldecode
- Autodiscover
- Internal queue
- Logging
- HTTP endpoint
- Regular expression support
- Instrumentation
- Feature flags
- heartbeat.reference.yml
- How to guides
- Exported fields
- Beat fields
- Synthetics browser metrics fields
- Cloud provider metadata fields
- Common heartbeat monitor fields
- Docker fields
- ECS fields
- Host fields
- HTTP monitor fields
- ICMP fields
- Jolokia Discovery autodiscover provider fields
- Kubernetes fields
- Process fields
- Host lookup fields
- APM Service fields
- SOCKS5 proxy fields
- Monitor state fields
- Monitor summary fields
- Synthetics types fields
- TCP layer fields
- TLS encryption layer fields
- Monitor
- Secure
- Troubleshoot
- Get help
- Debug
- Understand logged metrics
- Common problems
- Heartbeat uses too much bandwidth
- Error loading config file
- Found unexpected or unknown characters
- Logstash connection doesn’t work
- Publishing to Logstash fails with "connection reset by peer" message
- @metadata is missing in Logstash
- Not sure whether to use Logstash or Beats
- SSL client fails to connect to Logstash
- Monitoring UI shows fewer Beats than expected
- High RSS memory usage due to MADV settings
- Contribute to Beats
Translate GUID
editTranslate GUID
editThe translate_ldap_attribute processor translates an LDAP attributes between eachother.
It is typically used to translate AD Global Unique Identifiers (GUID)
into their common names.
Every object on an Active Directory or an LDAP server is issued a GUID. Internal processes refer to their GUID’s rather than the object’s name and these values sometimes appear in logs.
If the search attribute is invalid (malformed) or does not map to any object on the domain
then this will result in the processor returning an error unless ignore_failure
is set.
The result of this operation is an array of values, given that a single attribute can hold multiple values.
Note: the search attribute is expected to map to a single object. If it doesn’t, no error will be returned, but only results of the first entry will be added to the event.
processors: - translate_ldap_attribute: field: winlog.event_data.ObjectGuid ldap_address: "ldap://" ldap_base_dn: "dc=example,dc=com" ignore_missing: true ignore_failure: true
The translate_ldap_attribute processor has the following configuration settings:
Table 4. Translate GUID options
| Name | Required | Default | Description |
|---|---|---|---|
|
yes |
Source field containing a GUID. |
|
|
no |
Target field for the mapped attribute value. If not set it will be replaced in place. |
|
|
yes |
LDAP server address. eg: |
|
|
yes |
LDAP base DN. eg: |
|
|
no |
LDAP user. |
|
|
no |
LDAP password. |
|
|
yes |
|
LDAP attribute to search by. |
|
yes |
|
LDAP attribute to map to. |
|
no |
30 |
LDAP search time limit in seconds. |
|
no |
30 |
LDAP TLS/SSL connection settings. |
|
no |
false |
Ignore errors when the source field is missing. |
|
no |
false |
Ignore all errors produced by the processor. |
* Also see SSL for a full description of the ldap_ssl options.
If the searches are slow or you expect a high amount of different key attributes to be found, consider using a cache processor to speed processing:
processors: - cache: backend: memory: id: ldapguids get: key_field: winlog.event_data.ObjectGuid target_field: winlog.common_name ignore_missing: true - if: not: - has_fields: winlog.common_name then: - translate_ldap_attribute: field: winlog.event_data.ObjectGuid target_field: winlog.common_name ldap_address: "ldap://" ldap_base_dn: "dc=example,dc=com" - cache: backend: memory: id: ldapguids capacity: 10000 put: key_field: winlog.event_data.ObjectGuid value_field: winlog.common_name