We just started ingesting Windows event logs from Microsoft Azure Storage (sourcetype = mscs:storage:table). We installed Microsoft Cloud Services add-on in one of our heavy forwarders and it forwards to our indexers.
When data gets indexed, the host field value has the name of the heavy forwarder, instead of the actual Windows host. And the actual Windows host name is represented in a field called, RoleInstance.
********************Example***************
Channel: Security
DeploymentId: be79887e-
Description: Key file operation.
Subject:
Security ID: S-1-5-18
Account Name: AZDC$
Account Domain: F
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: {55C5AD0C-}
Key Type: Machine key.
Key File Operation Information:
File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\
Operation: Read persisted key from file.
Return Code: 0x0
EventId: 5058
EventTickCount: 6369
EventTickCount@odata.type: Edm.Int64
Level: 0
Opcode: 0
PartitionKey: 06
Pid: 708
PreciseTimeStamp: 2019-05-13T17:16:58.0636879Z
PreciseTimeStamp@odata.type: Edm.DateTime
ProviderGuid: {5484962-}
ProviderName: Microsoft-Windows-Security-Auditing
RawXml:
Role: IaaS
RoleInstance: _AZDC
RowIndex: 000000
Is there a way to change that? or Is this something that I will have to use transform.conf and Props.conf?
If so, how would I have to write regex so it will extract the actual server name from RoleInstance field?
****The Raw event starts like this **********
{"DeploymentId": "be798", "EventTickCount@odata.type": "Edm.Int64", "RoleInstance": "_AZDC", "TIMESTAMP@odata.type": "Edm.DateTime", "odata.etag":