Extract and add field

HugoBang · May 10, 2016, 7:56am

Hello,

How can I extract a value from message field and add field with the extracted value?

For example, message field is as below.

"message": "This is a test.\n\nSubject:\n\tSecurity ID:\t\tT-E-S-T\n\tAccount Name:\t\tTEST$\n\tAccount Domain:\t\ttest\n\tLogon ID:\t\ttest\n\nService:\n\tServer:\tNT Test / Test\n\tService Name:\tTestProcess()\n\nProcess:\n\tProcess ID:\ttest\n\tProcess Name:\tC:\Windows\System32\test.exe\n\nService Request Information:\n\tPrivileges:\t\tTest"

I want to extract only "C:\Windows\System32\test.exe" from the message and add field.

How can I do that with filter of Logstash?

magnusbaeck · May 10, 2016, 8:44am

Have a look at the grok filter.

HugoBang · May 10, 2016, 8:55am

I am trying with grok filter. Could you give me any guidance? The filter below is not working.

  grok {
     match => { "message" => "(?<process_name>C\:*.exe)" }
  }

magnusbaeck · May 10, 2016, 10:50am

You're on the right track but your regexp is wrong. This should at least be closer:

(?<process_name>C:\\\S\.exe)

Literal backslashes need to be escaped, \S matches all non-whitespace characters, and periods should be escaped too. You should probably Include "Process Name" too since there might an .exe filepath somewhere else in the message.

HugoBang · May 11, 2016, 6:02am

Thank you for your feedback.

But it is not working. The process_name field is not added.

Also I can't find any error logs at the logstash logs.

fbaligand · May 11, 2016, 7:55am

Try this, this should work :
(?<process_name>C:\\.*\.exe)

HugoBang · May 12, 2016, 3:35am

It works.

Thank you a lot!!

fbaligand · May 12, 2016, 5:50am

You're welcome