rhyse
August 15, 2016, 8:27am
1
Hi
I am trying to parse a custom windows Event log in to elasticsearch. This eventlog is generated from a powershell script
Event Data:
`event_data.param1
RunDate : 15/08/2016 08:29:58
`
Powershell Script:
$SourceName = "ExchangeAdminAudit".CmdletParameters))}},@{Name=’ModifiedProperties’;Expression={[string]::join(";", ($ .ModifiedProperties))}},Succeeded,Error#Write-EventLog –LogName Application –Source $SourceName –EntryType $loglevel –EventID $EventID –Message $log
Grok (this works ion the herokuapp site)
RunDate : %{DATE:date} %{TIME:time} Caller : %{GREEDYDATA:caller} ObjectModified : %{GREEDYDATA:objectmodified} CmdletName : %{GREEDYDATA:cmdletname} CmdletParameters : %{GREEDYDATA:cmdletparameters} ModifiedProperties : %{GREEDYDATA:modifiedproperties}Succeeded : %{GREEDYDATA:succeeded} Error : %{GREEDYDATA:error}
But I am unable to get the event data parsed as expected and out put the required fileds. Any idea's ?
Thanks
I suggest you edit your post and move it to the Logstash category to make sure it's read by the right people.
What do the messages look like in Logstash? Please show the result of a stdout { codec => rubydebug } output.
rhyse
August 16, 2016, 8:42am
3
Hi
Sorry, it has taken me this long to get back (and thanks for your help so far)
I have added the following to my ouput
if [source_name] == "ExchangeAdminAudit" { stdout { codec => rubydebug } }
This results in the following
{ "message" => "\n\nRunDate : 16/08/2016 06:47:36\nCaller : Services.local/Services.local/Backend/Users/Admin/Rhys Evans - Admin\nObjectModified : Mailstore08\nCmdletName : Move-ActiveMailboxDatabase\nCmdletParameters : ActivateOnServer,Identity\nModifiedProperties : AdminDisplayVersion\nSucceeded : True\nError : None", "@version" => "1", "@timestamp" => "2016-08-16T08:36:34.000Z", "event_data" => { "param1" => "\n\nRunDate : 16/08/2016 06:47:36\nCaller : Services.local/Services.local/Backend/Users/Admin/Rhys Evans - Admin\nObjectModified : Mailstore08\nCmdletName : Move-ActiveMailboxDatabase\nCmdletParameters : ActivateOnServer,Identity\nModifiedProperties : AdminDisplayVersion\nSucceeded : True\nError : None" }, "log_name" => "Application", "source_name" => "ExchangeAdminAudit", "record_number" => "750345", "event_id" => 1, "level" => "Information", "keywords" => [ [0] "Classic" ], "type" => "wineventlog", "computer_name" => "S-PANELBE01.Services.local", "opcode" => "Info", "beat" => { "name" => "S-PANELBE01", "hostname" => "S-PANELBE01" }, "tags" => [ [0] "services.local", [1] "beats", [2] "beats_input_codec_plain_applied", [3] "_grokparsefailure" ], "host" => "S-PANELBE01" }
I will look at how to move to the logstash forum
Thanks
rhyse
August 16, 2016, 8:58am
4
Hi
As an FYI I have managed to work around this for my purposes.
Script now looks like
$SourceName = "ExchangeAdminAudit" $loglevel = "Information" $EventID = "1" $logs = Search-AdminAuditLog -StartDate (get-date).Addminutes(-62) | Select-Object RunDate,Caller,ObjectModified,CmdletName,@{Name=’CmdletParameters’;Expression={[string]::join(",", ($_.CmdletParameters))}},@{Name=’ModifiedProperties’;Expression={[string]::join(";", ($_.ModifiedProperties))}},Succeeded,Error $logs.count foreach ($log in $logs) { #Write-EventLog –LogName Application –Source $SourceName –EntryType $loglevel –EventID $EventID –Message $log Write-EventLog –LogName Application –Source $SourceName –EntryType $loglevel –EventID $EventID –Message ($log) }
and grok now looks like
\{RunDate=%{DATE:date} %{TIME:time}; Caller=%{GREEDYDATA:caller}; ObjectModified=%{GREEDYDATA:objectmodified}; CmdletName=%{GREEDYDATA:cmdletname}; CmdletParameters=%{GREEDYDATA:cmdletparameters}; ModifiedProperties=%{GREEDYDATA:modifiedproperties}; Succeeded=%{GREEDYDATA:succeeded}; Error=%{GREEDYDATA:error}\}
Thanks
system
September 6, 2016, 8:58am
5
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.