Thanks Pedro, I just updated my configuration. I share my filter block here in case someone read this topic and want complete guide.
filter { if [type] == "wazuh-alerts" { geoip { source => "srcip" target => "GeoLocation" } date { match => ["timestamp", "ISO8601"] target => "@timestamp" } mutate { gsub => ["accesses", "%%1537", "Delete"] gsub => ["accesses", "%%1538", "ReadControl"] gsub => ["accesses", "%%1539", "ReadControl"] gsub => ["accesses", "%%1540", "ReadControl"] gsub => ["accesses", "%%1541", "Synchronize"] gsub => ["accesses", "%%1542", "Synchronize"] gsub => ["accesses", "%%4416", "ReadData"] gsub => ["accesses", "%%4417", "WriteData"] gsub => ["accesses", "%%4418", "AppendData"] gsub => ["accesses", "%%4419", "ReadEA"] gsub => ["accesses", "%%4420", "WriteEA"] gsub => ["accesses", "%%4423", "ReadAttrib"] gsub => ["accesses", "%%4424", "WriteAttrib"] gsub => ["accesses", "%%1801", "Granted"] gsub => ["accesses", "%%1805", "NotGranted"] remove_field => [ "timestamp", "beat", "fields", "input_type", "tags", "count" ] } } } Thanks you -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.