Custom Eventlog Parsing


(rhyse) #1

Hi

I am trying to parse a custom windows Event log in to elasticsearch. This eventlog is generated from a powershell script

Event Data:

`event_data.param1

RunDate : 15/08/2016 08:29:58
Caller : Services.local/HostedCompanies/xxxxxx/lukaszk00000
ObjectModified : Services.local/HostedCompanies/xxxxxx/lukaszk00000
CmdletName : Set-MailboxMessageConfiguration
CmdletParameters : SignatureHtml,AutoAddSignature,Identity
ModifiedProperties :
Succeeded : True
Error : None

`

Powershell Script:

$SourceName = "ExchangeAdminAudit"
$loglevel = "Information"
$EventID = "1"
$logs = Search-AdminAuditLog -StartDate (get-date).Addminutes(-62) | Select-Object RunDate,Caller,ObjectModified,CmdletName,@{Name=’CmdletParameters’;Expression={[string]::join(",", ($.CmdletParameters))}},@{Name=’ModifiedProperties’;Expression={[string]::join(";", ($.ModifiedProperties))}},Succeeded,Error
$logs.count
foreach ($log in $logs) {
#Write-EventLog –LogName Application –Source $SourceName –EntryType $loglevel –EventID $EventID –Message $log
Write-EventLog –LogName Application –Source $SourceName –EntryType $loglevel –EventID $EventID –Message ($log | Format-List | Out-String)
}

Grok (this works ion the herokuapp site)

RunDate : %{DATE:date} %{TIME:time} Caller : %{GREEDYDATA:caller} ObjectModified : %{GREEDYDATA:objectmodified} CmdletName : %{GREEDYDATA:cmdletname} CmdletParameters : %{GREEDYDATA:cmdletparameters} ModifiedProperties : %{GREEDYDATA:modifiedproperties}Succeeded : %{GREEDYDATA:succeeded} Error : %{GREEDYDATA:error}

But I am unable to get the event data parsed as expected and out put the required fileds. Any idea's ?

Thanks


(Magnus Bäck) #2

I suggest you edit your post and move it to the Logstash category to make sure it's read by the right people.

What do the messages look like in Logstash? Please show the result of a stdout { codec => rubydebug } output.


(rhyse) #3

Hi

Sorry, it has taken me this long to get back (and thanks for your help so far)

I have added the following to my ouput

if [source_name] == "ExchangeAdminAudit" { stdout { codec => rubydebug } }

This results in the following

{ "message" => "\n\nRunDate : 16/08/2016 06:47:36\nCaller : Services.local/Services.local/Backend/Users/Admin/Rhys Evans - Admin\nObjectModified : Mailstore08\nCmdletName : Move-ActiveMailboxDatabase\nCmdletParameters : ActivateOnServer,Identity\nModifiedProperties : AdminDisplayVersion\nSucceeded : True\nError : None", "@version" => "1", "@timestamp" => "2016-08-16T08:36:34.000Z", "event_data" => { "param1" => "\n\nRunDate : 16/08/2016 06:47:36\nCaller : Services.local/Services.local/Backend/Users/Admin/Rhys Evans - Admin\nObjectModified : Mailstore08\nCmdletName : Move-ActiveMailboxDatabase\nCmdletParameters : ActivateOnServer,Identity\nModifiedProperties : AdminDisplayVersion\nSucceeded : True\nError : None" }, "log_name" => "Application", "source_name" => "ExchangeAdminAudit", "record_number" => "750345", "event_id" => 1, "level" => "Information", "keywords" => [ [0] "Classic" ], "type" => "wineventlog", "computer_name" => "S-PANELBE01.Services.local", "opcode" => "Info", "beat" => { "name" => "S-PANELBE01", "hostname" => "S-PANELBE01" }, "tags" => [ [0] "services.local", [1] "beats", [2] "beats_input_codec_plain_applied", [3] "_grokparsefailure" ], "host" => "S-PANELBE01" }

I will look at how to move to the logstash forum

Thanks


(rhyse) #4

Hi

As an FYI I have managed to work around this for my purposes.

Script now looks like

$SourceName = "ExchangeAdminAudit" $loglevel = "Information" $EventID = "1" $logs = Search-AdminAuditLog -StartDate (get-date).Addminutes(-62) | Select-Object RunDate,Caller,ObjectModified,CmdletName,@{Name=’CmdletParameters’;Expression={[string]::join(",", ($_.CmdletParameters))}},@{Name=’ModifiedProperties’;Expression={[string]::join(";", ($_.ModifiedProperties))}},Succeeded,Error $logs.count foreach ($log in $logs) { #Write-EventLog –LogName Application –Source $SourceName –EntryType $loglevel –EventID $EventID –Message $log Write-EventLog –LogName Application –Source $SourceName –EntryType $loglevel –EventID $EventID –Message ($log) }

and grok now looks like

\{RunDate=%{DATE:date} %{TIME:time}; Caller=%{GREEDYDATA:caller}; ObjectModified=%{GREEDYDATA:objectmodified}; CmdletName=%{GREEDYDATA:cmdletname}; CmdletParameters=%{GREEDYDATA:cmdletparameters}; ModifiedProperties=%{GREEDYDATA:modifiedproperties}; Succeeded=%{GREEDYDATA:succeeded}; Error=%{GREEDYDATA:error}\}

Thanks


(system) #5

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.