This is the log line
msg: Malware/Virus detected - Rtf.Exploit.CVE_2017_11882-6584355-0:Message denied for delivery:Announcement: Holiday Tomorrow
This is where i'm figuring out how to match the "Announcement: Holiday Tomorrow" or "Announcement Holiday Tomorrow" part of the log. It can have colon or not. At the moment i don't have the right pattern. I'm new to logstash.
grok {
match {
"msg" => "%{[^:]+$}:%{GREEDYDATA:headerSubject}"
}
}
Hi
If all messages have this exact same format, you could use "Announcement" as a separator of sorts:
grok { match { "msg" => "%{[^:]+$}:Announcement%{GREEDYDATA:headerSubjectTMP}" } }
And then you can mutate{} your headerSubjectTMP into the desired headerSubject and remove_field => ["headerSubjectTMP"].
Hope this helps.
Actually it will not be the same format. but i got the idea from you. I modified my log to have a "Subject - " part instead. so logstash config can be simple
msg: Malware/Virus detected - Rtf.Exploit.CVE_2017_11882-6584355-0:Message denied for delivery: Subject - Announcement: Holiday Tomorrow
grok {
match {
"msg" => "Subject - %{GREEDYDATA:headerSubject}"
}
}
Thank you!
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.