Grok parsing for multiline logs (winlogbeat)

Houss · November 28, 2016, 5:16am

Hello,

I'm having problem making the grok parsing work for multiline log. I've tried \n or \r or both and can't seem to make it work. Here's an example :

Niveau d’emprunt d’identité : Emprunt d’identité

Nouvelle ouverture de session :
	ID de sécurité :		S-1-5-21-1519999410-1935793592-2975913076-18531
	Nom du compte :		PC154196$
	Domaine du compte :		CG974
	ID d’ouverture de session :		0x4FE8C2E1
	GUID d’ouverture de session :		{20A5E327-04E7-6178-3818-E9A074BAC6F3}

Informations sur le processus :
	ID du processus :		0x0
	Nom du processus :		-

Let's say I want to catch the "Nom du compte :", here is what I tried :

Nouvelle ouverture de session\s:.+Nom du compte\s:\s+%{NOTSPACE:user_account}
Nouvelle ouverture de session\s:\n.+\n.+Nom du compte\s:\s+%{NOTSPACE:user_account}
Nouvelle ouverture de session\s:(\n|\r|\n\r).+(\n|\r|\n\r).+Nom du compte\s:\s+%{NOTSPACE:user_account}
Please note that I can't just put Nom du compte\s:\s+%{NOTSPACE:user_account} as there are two lines like this in the log.

Any insights on this ?
Thanks !

Houss · November 28, 2016, 5:37am

Also, using the multiline codec splits the log in several parts and I would like to avoid that.

Houss · November 28, 2016, 6:31am

I upgraded to winlogbeats 5.0 and it seeems that I won't need to parse the events myself since it is already creating the fields I'm interested in

system · December 26, 2016, 6:31am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.