Ingest Pipeline GROK filter:
{
"grok": {
"field": "message",
"patterns": [
"\\s*Workstation Name:(?!\\t-)\\s*%{DATA:winlog.event_data.WorkstationName}\\n\\t.*",
"%{GREEDYDATA:message}"
],
"trace_match": true,
"ignore_missing": true,
"if": "ctx?.winlog?.event_data?.WorkstationName == null"
}
}
When the second pattern is added to the GROK filter in the Ingest Pipeline, the first pattern is ignored and the second pattern is matched. When I remove the second pattern, though, the first pattern is matched. Any idea why this is happening?
Message that's being matched:
An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: ThisIsatest
Account Domain: Company
Logon ID: HexStuff
Logon GUID: {GUID}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: Test
Source Network Address: ***********
Source Port: 63218
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed```