I have an log message which I split using grok and then use an if conditional to parse a field using dissect filter. But it is giving me Dissector mapping, pattern not found error.
I tried the dissect pattern with https://dissect-tester.jorgelbg.me/ website and it was working fine there. Even for the errored pattern, it was doing fine.
if 'kafka' not in [tags] {
grok {
tag_on_failure => ["windows_message_grok_failed"]
match => {
"message" => [
"(?<[windows][event_id]>[0-9]*)#011(?<unknown_field>[a-zA-Z/s]*)011#011%{GREEDYDATA:event_text}"
]
}
add_tag => ["windows"]
}
if [windows][event_id] == '4662' {
dissect {
id => "dissect_pattern_windows_4662"
mapping => {
"event_text" => "%{text->}Subject%{?ignore->}Security ID:%{[subject][security_id]->}Account Name:%{[subject][account_name]->}Account Domain:%{[subject][account_domain]->}Logon ID:%{[subject][logon_id]->}Object:%{?ignore->}Object Server:%{[object][server]->}Object Type:%{[object][object_type]->}Object Name:%{[object][object_name]->}Handle ID:%{[object][handle_id]->}Operation:%{?ignore->}Operation Type:%{[operation][operation_type]->}Accesses:%{[operation][accesses]->}Access Mask:%{[operation][access_mask]->}Properties:%{[operation][properties]->}Additional Information:%{?ignore->}Parameter 1:%{[additional_information][parameter1]->}Parameter 2:%{[additional_information][parameter2]->}#011%{residue_code->}"
}
add_tag => ["event_id_parsed","dissect_4662"]
}
}
}
Also here is one message which i got the above warning. (this works perfectly in the above website and the pattern above)
This is the text coming under the "event_text" field which is parsed from the grok filter. And using above website and the dissect filter pattern, i was able to get it working in the website. But in logstash, it returns the " Dissector mapping, pattern not found error."
An operation was performed on an object. Subject : Security ID: P-7-5-21-1593251271-26251271 Account Name: FIDILIS$ Account Domain: FW-TRA Logon ID: 0x16ACD1E8D Object: Object Server: DS Object Type: %{df232386-0fg5-00d0-a878-53312d5f5926} Object Name: %{233423q5-2fb3-4mac-b2ce-42295d4544423} Handle ID: 0x0 Operation: Operation Type: Object Access Accesses: Read Property Access Mask: 0x10 Properties: Read Property {233423q5-2fb3-4mac-b2ce-42295d4544423} Additional Information: Parameter 1: - Parameter 2: #0111877943017\n
Do anyone know what is the cause of such behaviour and how to solve this?