Logstash grok OSSEC

Jose_Campos · February 16, 2018, 1:54pm

Hello

A few days ago I was trying to make a grok to get the values of a specific field. For example, within my text lines I want to extract the data from 'Source Network Address'

Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: DSW2K12EXC Source Network Address: 10.240.67.111 Source Port: 23065

I tried to do it with this, but it has not worked. Can you give me some idea or correct me?

grok

{
patterns_dir => "/etc/logstash/patterns/"
match => { "message" => "\s*%{IP:Source Network Adrress}" }
}

Greetings

rcowart · February 17, 2018, 7:18am

Using your example message...

grok {
  match => {
    "message" => "Process Information: Process ID: (?<process_id>0x[0-9A-F]+) Process Name: %{GREEDYDATA:process_name} Network Information: Workstation Name: %{HOSTNAME:workstation_name} Source Network Address: %{IP:source_network_name} Source Port: %{NONNEGINT:source_port}"
  }
}

Testing this with Grok Debugger the results are...

{
  "source_network_name": "10.240.67.111",
  "process_id": "0x0",
  "process_name": "-",
  "source_port": "23065",
  "workstation_name": "DSW2K12EXC"
}

Jose_Campos · March 9, 2018, 5:24pm

Thanks @rcowart

Can you help me with whis?

New Logon: Security ID: S-1-5-21-887713730-3897031439-636582496-1618 Account Name: UG009494$

I did try with this, but didn't work.

grok {
match => ["message","New Logon: Security ID: {GREEDYDATA:security_id} Account Name: %{USERNAME:account_name}"]
}

Greetings

system · April 6, 2018, 5:24pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.