Filter and Grok


(Jason) #1

Hello.
I need help about Logstash configuration. I like to define a Filter that extract specific information from my Windows Event Log. For example, In below Windows Event log I just need the Account name and the file or folder that deleted.

2017-08-16T02:52:49+04:30 172.30.10.17 WIN-4EQI0PB1GO1 MSWinEventLog    4   Security    41  Wed Aug 16 02:52:48 2017    4663    Microsoft-Windows-Security-Auditing WIN-4EQI0PB1GO1\Administrator   N/A Success Audit   WIN-4EQI0PB1GO1 File System An attempt was made to access an object. Subject: Security ID: S-1-5-21-1303077657-3015995219-3935651026-500 Account Name: Administrator Account Domain: WIN-4EQI0PB1GO1 Logon ID: 0x16cda Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\Desktop\New folder\mic Handle ID: 0x3ac Process Information: Process ID: 0x35c Process Name: C:\Windows\explorer.exe Access Request Information: Accesses: DELETE Access Mask: 0x10000 40 path:/var/log/172.30.10.17/messages @timestamp:August 15th 2017, 00:22:13.667 @version:1 host:localhost.localdomain type:syslog tags:netsyslog _id:AV3kxXsuDr9iQpHqoXMQ _type:syslog _index:index_name-2017.08.15 _score: -

Can you show me some example or advice?

Thank you.


(Magnus B├Ąck) #2

Have you looked at the grok constructor web site?


(Jason) #3

Not really. I just need some example.


(system) #4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.