Please let me question how to collect Windows Defender log using logstash.
Windows Defender output log such as the below sample when virus is detected.
But the log has a lot of a line breaks in one detection log.
So logstash send a lot of log to elasticsearch.
Please tell me how to send the below log as one entry.
@sample
Begin Quick Scan
Scan ID:{ECAB1DAA-924B-468D-AEB9-6FCEEBD153D1}
Scan Source:2
Start Time:日 10 11 2015 14:04:42
End Time:日 10 11 2015 14:07:13
Result Count:1
Threat Name:Tool:Win32/EICAR_Test_File
ID:17463
Severity:5
Number of Resources:3
Resource Schema:file
Resource Path:C:\Users\Administrator\Desktop\X5O!P%_AP[4_PZX54_P^7CC_7$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H.txt
Extended Info:5866324352432
Resource Schema:file
Resource Path:C:\Users\Administrator\Desktop\3.txt
Extended Info:5866324352432
Resource Schema:file
Resource Path:C:\Users\Administrator\Desktop\2.txt
Extended Info:5866324352432
End Scan
Use a multline filter or multiline codec to join consecutive lines. The multiline logic would be something like "unless the line begins with 'Begin Quick Scan', join the current line with the previous line".
You're missing the negation in "unless the line begins with 'Begin Quick Scan', join the current line with the previous line". Add negate => true to the multiline filter.
Also, don't use type in the filter. That form has been deprecated for a long time and will be removed completely in Logstash 2.0. Wrap the filter in a conditional instead.
if [type] == "WindowsDefender" {
multiline {
...
}
}
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.