How to extract first line of message from Winlogbeat

Mark_Tellier · February 21, 2019, 4:52pm

Winlogbeat is sending Windows Event logs to logstash and I would like to create a new field by extracting the first line of the message field.

"message": "Special privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tCORP-DC02$\n\tAccount Domain:\t\tACME\n\tLogon ID:\t\t0x238BCEAE\n\nPrivileges:\t\tSeSecurityPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeEnableDelegationPrivilege\n\t\t\tSeAssignPrimaryTokenPrivilege"

I have tried many filter variations without success, here is my current but results in only a copy of the message, like it's unable to split the message by newline:

filter {

  mutate {
    copy => { "message" => "message_head" }
  }

  mutate {
    split => ["message_head", "\n"]
  }

  mutate {
    replace => { "message_head" => "%{message_head[0]}" }
  }

}

This is the result I am after:
message_head: Special privileges assigned to new logon.

When testing the above filter sending a message with postman, it splits the string into an array and produces the desired results. However, I get a string copy of the message when received from Winlogbeat.

Any suggestions would be most appreciated.

Badger · February 21, 2019, 5:30pm

There is no fancy quoting or escaping in logstash configurations You want a liternal newline embedded in the string.

    mutate { split => { "message" => "
" } }

Or config.support_escapes.

Mark_Tellier · February 21, 2019, 7:55pm

Thanks for the recommendation Badger, but the output is now just "A", so looks like the string isn't being parsed and it's taking the first character.

filter {

  mutate {
    copy => { "message" => "message_head" }
  }

  mutate {
    split => ["message_head", ""]
  }

  mutate {
    replace => { "message_head" => "%{message_head[0]}" }
  }
}

Output:
"message_head": "A"

Badger · February 21, 2019, 8:41pm

That will split it into an array of several hundred single characters. So yes, "%{message_head[0]}" will just pick up the first character of the original message.

Mark_Tellier · February 21, 2019, 9:28pm

Badger, I finally understood what you were saying and it works perfect, thanks for helping me out. I've searched through the forums and read through the documentation and nowhere did I come across anything that refers to a literal return.

Here is my final filter:

filter {

  mutate {
    copy => { "message" => "message_head" }
  }

  mutate {
    split => ["message_head", "
"]}

  mutate {
    replace => { "message_head" => "%{message_head[0]}" }
  }

}

And a sample result:
"message_head": "An account was logged off."

system · March 21, 2019, 9:29pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.