Grok parsing for multiline logs (winlogbeat)



I'm having problem making the grok parsing work for multiline log. I've tried \n or \r or both and can't seem to make it work. Here's an example :

Niveau d’emprunt d’identité : Emprunt d’identité

Nouvelle ouverture de session :
	ID de sécurité :		S-1-5-21-1519999410-1935793592-2975913076-18531
	Nom du compte :		PC154196$
	Domaine du compte :		CG974
	ID d’ouverture de session :		0x4FE8C2E1
	GUID d’ouverture de session :		{20A5E327-04E7-6178-3818-E9A074BAC6F3}

Informations sur le processus :
	ID du processus :		0x0
	Nom du processus :		-

Let's say I want to catch the "Nom du compte :", here is what I tried :

  • Nouvelle ouverture de session\s:.+Nom du compte\s:\s+%{NOTSPACE:user_account}
  • Nouvelle ouverture de session\s:\n.+\n.+Nom du compte\s:\s+%{NOTSPACE:user_account}
  • Nouvelle ouverture de session\s:(\n|\r|\n\r).+(\n|\r|\n\r).+Nom du compte\s:\s+%{NOTSPACE:user_account}
    Please note that I can't just put Nom du compte\s:\s+%{NOTSPACE:user_account} as there are two lines like this in the log.

Any insights on this ?
Thanks !


Also, using the multiline codec splits the log in several parts and I would like to avoid that.


I upgraded to winlogbeats 5.0 and it seeems that I won't need to parse the events myself since it is already creating the fields I'm interested in :smile:

(system) #4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.