Help with parsing Kaspersky logs


(F) #1

Not sure if this should be asked here or maybe Kibana so please let me know if this isn't the right place.....

I've written a grok pattern using a Grok debugger tool and the tool gives me the proper named fields but when I add the pattern as a filter conf file in logstash its being parsed differently in Kibana. As you will see in the screenshot the Reason field is including a lot of the fields I am attempting to parse but the kvdata fields are parsing correctly.

Here is my pattern:
filter {
if [type] == "kaspersky-av" {
grok {
match => {"message" => "%{SYSLOGTIMESTAMP}\s%{IPV4:SourceIP}\s%{INT}\s%{TIMESTAMP_ISO8601}\s%{HOSTNAME}\s%{DATA:Code}|%{GREEDYDATA:version} -\s%{USERNAME}\s[event@%{HOSTNAME}\s%{GREEDYDATA:kvdata}]\sEvent type:\s%{DATA:Event_type}\Name:\s%{DATA:Name}\Path:\s%{GREEDYDATA:Path}\Process ID:\s%{GREEDYDATA:Process_ID}\nUser:\s%{GREEDYDATA:User}\r\nComponent:\s%{GREEDYDATA:Component}Description:\s%{DATA:Description}Type:\s%{DATA:Type}Name:\s%{DATA:Name2}Threat level:\s%{DATA:Threat_level}Precision:\s%{DATA:Precision}\r\nAction:\s%{DATA:Action}\r\nObject:\s%{DATA:Object}Type:\s%{DATA:Type2}Path:\s%{DATA:Path2}Name:\s%{DATA:Name3}\r\nReason:\s%{DATA:Reason}\r\n"}
}
kv {
source => "kvdata"
trim_value => """
}
}
}


(F) #2

I figured out my issue. This can be marked as resolved.


(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.