logstash parse windows event id 1102

0
votes

hello I am newer to the logstash. when I am trying to parse the @message field in logstash, that is output from nxlog. can anyone please suggest me how to use regex in grok to parse the below @message field.

"The audit log was cleared.\r\nSubject:\r\n\tSecurity ID:\tS-1-5-21-1753799626-3523340796-3104826135-1001\r\n\tAccount Name:\tJhon\r\n\tDomain Name:\tJactrix\r\n\tLogon ID:\t1x12325"

and I am using following grok pattern to parse

match => { "%{@message}" => "%{GREEDYDATA:msg}\r\nSubject:%{DATA}\r\n\tSecurity ID:\t%{USERNAME}\r\n\tAccount Name:%{GREEDYDATA}\r\n\tDomain Name:\t%{GREEDYDATA}\r\n\tLogon ID:\t%{GREEDYDATA}" }

Thank you

1
logstashlogstash-grok

1 Answers

0
votes

as a starter you could try the following pattern:

%{GREEDYDATA:msg}.*Subject:%{GREEDYDATA:subject}.*Security ID:%{GREEDYDATA:securityId}.*Account Name:%{GREEDYDATA:accountName}Domain Name:%{GREEDYDATA:domainName}Logon ID:%{GREEDYDATA:logonID}

Then try to refine the patterns depending on the structure of your log-files (e.g. accountName might be %{WORD} or ....). You can use http://grokdebug.herokuapp.com/ to test your pattern. A list of predefined patterns is found here: https://github.com/logstash-plugins/logstash-patterns-core/tree/master/patterns