Extract the message from an Alert FileBeat

Michael_Dylan_McAloo · May 31, 2021, 8:27am

I need help because I don't know how to select only the part of the message where it says "NMAP ping sweep Scan".

05/28-10:30:30:52.840974 [**] [1:10000004:1] "NMAP ping sweep Scan" [**] [Priority: 0] {TCP}

I got this:

 processors:
    - dissect:
        tokenizer: ' "%{service.message}" '
        filed: "message"
        target_prefix: "message"

spinscale · May 31, 2021, 9:02am

This Beats Playground allows to play around with beats processors and extract the data, hope t hat helps to get started

Michael_Dylan_McAloo · May 31, 2021, 9:46am

Ohhh, thank you very much

Michael_Dylan_McAloo · May 31, 2021, 10:02am

I have a question, what is the reason for this part of the code?

layouts:
      - 2006-01-02T15:04:05.999999999Z07:00

spinscale · May 31, 2021, 11:17am

See Timestamp | Filebeat Reference [7.13] | Elastic - a list of timestamps that should be able to parse.. this one aims at nanosecond resolution and time zones I would guess

system · June 28, 2021, 11:18am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat - Dissect Message String Beats filebeat	4	3300	November 9, 2020
Dissect message playground Beats filebeat	2	430	May 16, 2021
Filebeat dissect Beats filebeat	1	1089	February 11, 2021
Extract date from message Beats filebeat	2	601	May 8, 2018
How to make the changes in filebeat effective Beats filebeat	22	1206	February 2, 2021