This seems to give _grokparsefailure a hundred percent of the time:
if [event][action]=="Process Creation" {
grok {
match => { "winlog.event_data.NewProcessName" => "(?<directory>.*)\\(?<executable>%{DATA:executable}\.exe)" }
}
}
Yet when I test it in debuggers it seems to be working. Here are some sample field values I have been testing on:
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\wbem\WmiPrvSE.exeC:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
Any idea how to fix?
It works for me, although I would recommend
"(?<directory>.*)\\(?<executable>%{DATA}\.exe)"
to avoid [executable] being an array like
"executable" => [
[0] "AdobeARM.exe",
[1] "AdobeARM"
]
Weird I am trying your adjustment as well but still getting a _grokparsefailure
I'm assuming there's some underlying issue here, just not sure how to find it.
Rios
May 17, 2023, 8:35am
4
Might be issues in old LS versions 7-.
grok {
match => { "message" => "(?<directory>.*)\\%{DATA:executable}\.exe" }
}
Pure regex:
grok {
match => { "message" => "(?<directory>.*)\\(?<executable>[^\/]*)\.exe" }
}
Result:
"directory" => "C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0",
"executable" => "AdobeARM"
With exe at the end.
grok {
match => { "message" => "(?<directory>.*)\\%{GREEDYDATA:executable}" }
}
grok {
match => { "message" => "(?<directory>.*)\\(?<executable>[^\/]*$)" }
}
Result:
"directory" => "C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0",
"executable" => "AdobeARM.exe"
system
June 14, 2023, 8:35am
5
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.