Hi,
I received windows events from another source in this format:
EventCode=1234
EvenType= blah blah
User=me
Message=
key1:value1
arbitrarty
....
Each event entry that comes into log stash has a newline. I just want to concatenate together to become like this:
EventCode=1234, Eventype=......
in one line.
How can I craft my filter to do this? Is it through a multiline input filter?
thanks
Here's one I put together for event ID 4624. I have no idea if this is optimal, there really doesn't seem to be much in the way of grok guidelines 
grok {
break_on_match => true
match => {
'message' => '%{DATA:event_message}\n\nSubject:\n\tSecurity ID:\t\t%{DATA:security_id}\n\tAccount Name:\t\t%{DATA:subject_accountname}\n\tAccount Domain:\t\t%{DATA:subject_accountdomain}\n\tLogon ID:\t\t%{DATA:subject_logonid}\n\nLogon Type:\t\t\t%{INT:logon_type}\n\n(Impersonation Level:\t\t%{WORD:impersonation_level}\n\n)?New Logon:\n\tSecurity ID:\t\t%{DATA:logon_securityid}\n\tAccount Name:\t\t%{DATA:logon_accountname}\n\tAccount Domain:\t\t%{DATA:logon_accountdomain}\n\tLogon ID:\t\t%{DATA:logon_logonid}\n\tLogon GUID:\t\t%{DATA:logon_logonguid}\n\nProcess Information:\n\tProcess ID:\t\t%{DATA:process_processid}\n\tProcess Name:\t\t%{DATA:process_processname}\n\nNetwork Information:\n\tWorkstation Name:\t\t*%{DATA:networkinfo_workstationname}\n\tSource Network Address:\t%{DATA:network_address}\n\tSource Port:\t\t%{DATA:network_sourceport}\n\nDetailed Authentication Information:\n\tLogon Process:\t\t%{DATA:auth_logonprocess}\n\tAuthentication Package:\t%{DATA:auth_authpackage}\n\tTransited Services:\t%{DATA:auth_transitedservices}\n\tPackage Name \(NTLM only\):\t%{DATA:auth_packagename}\n\tKey Length:\t\t%{INT:auth_keylength}'
}
}Thanks
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.