Multiple match in one grok {}

shani · August 27, 2020, 7:29am

Hi All,

I want to match multiple different fields using GROK, this doesn't work

grok {
            match => {
              "winlog_subject" => "Subject:\\nSecurity ID:%{DATA:[winlog][event_data][SubjectUserSid]}\\nAccount Name:%{DATA:[winlog][event_data][SubjectUserName]}\\nAccount Domain:%{DATA:[winlog][event_data][SubjectDomainName]}\\nLogon ID:%{DATA:[winlog][event_data][SubjectLogonId]}$"
            }
            match => {
              "winlog_logon" => ["Logon Information:\\nLogon Type:%{DATA:[winlog][event_data][LogonType]}\\nRestricted Admin Mode:%{DATA:[winlog][event_data][RestrictedAdminMode]}\\nVirtual Account:%{DATA:[winlog][event_data][VirtualAccountNumber]}\\nElevated Token:%{WORD:[winlog][event_data][ElevatedToken]}","Logon Type:%{NUMBER:[winlog][event_data][LogonType]}"]
            }
            match => {
              "winlog_impersonation" => "Impersonation Level:%{WORD:[winlog][event_data][ImpersonationLevel]}"
            }
            match => {
              "winlog_newlogon" => "New Logon:\\nSecurity ID:%{DATA:[winlog][event_data][TargetUserSid]}\\nAccount Name:%{DATA:[winlog][event_data][TargetUserName]}\\nAccount Domain:%{DATA:[winlog][event_data][TargetDomainName]}\\nLogon ID:%{DATA:[winlog][event_data][TargetLogonId]}\\nLinked Logon ID:%{DATA:[winlog][event_data][LinkedLogonId]}\\nNetwork Account Name:%{DATA:[winlog][event_data][NetworkAccountName]}\\nNetwork Account Domain:%{DATA:[winlog][event_data][NetworkAccountDomain]}\\nLogon GUID:%{DATA:[winlog][event_data][LogonGuid]}$"
            }
            match => {
              "winlog_process" => "Process Information:\\nProcess ID:%{DATA:[winlog][event_data][ProcessId]}\\nProcess Name:%{DATA:[winlog][event_data][ProcessName]}$"
            }
            match => {
              "winlog_network" => "Network Information:\\nWorkstation Name:%{DATA:[winlog][event_data][WorkStationName]}\\nSource Network Address:%{IPV4:[winlog][event_data][SrcNetworkAddress]}\\nSource Port:%{NUMBER:[winlog][event_data][SourcePort]}$"
            }
            match => {
              "winlog_authentication" => "%{GREEDYDATA:[winlog][event_data][authentication]}"
            }
          }#end_grok

shani · August 28, 2020, 4:38pm

Hi All,

Can anyone please reply me on this^

Would be greatful!

Badger · August 28, 2020, 4:43pm

Generally it is a bad idea to supply an option to a filter more than once. logstash will combine them and sometimes it does it a way that you would not expect. You probably want to add a break_on_match option

shani:

grok {
    break_on_match => false
            match => {
              "winlog_subject" => "Subject:\\nSecurity ID:%{DATA:[winlog][event_data][SubjectUserSid]}\\nAccount Name:%{DATA:[winlog][event_data][SubjectUserName]}\\nAccount Domain:%{DATA:[winlog][event_data][SubjectDomainName]}\\nLogon ID:%{DATA:[winlog][event_data][SubjectLogonId]}$"
              "winlog_logon" => ["Logon Information:\\nLogon Type:%{DATA:[winlog][event_data][LogonType]}\\nRestricted Admin Mode:%{DATA:[winlog][event_data][RestrictedAdminMode]}\\nVirtual Account:%{DATA:[winlog][event_data][VirtualAccountNumber]}\\nElevated Token:%{WORD:[winlog][event_data][ElevatedToken]}","Logon Type:%{NUMBER:[winlog][event_data][LogonType]}"]
              "winlog_impersonation" => "Impersonation Level:%{WORD:[winlog][event_data][ImpersonationLevel]}"
              "winlog_newlogon" => "New Logon:\\nSecurity ID:%{DATA:[winlog][event_data][TargetUserSid]}\\nAccount Name:%{DATA:[winlog][event_data][TargetUserName]}\\nAccount Domain:%{DATA:[winlog][event_data][TargetDomainName]}\\nLogon ID:%{DATA:[winlog][event_data][TargetLogonId]}\\nLinked Logon ID:%{DATA:[winlog][event_data][LinkedLogonId]}\\nNetwork Account Name:%{DATA:[winlog][event_data][NetworkAccountName]}\\nNetwork Account Domain:%{DATA:[winlog][event_data][NetworkAccountDomain]}\\nLogon GUID:%{DATA:[winlog][event_data][LogonGuid]}$"
              "winlog_process" => "Process Information:\\nProcess ID:%{DATA:[winlog][event_data][ProcessId]}\\nProcess Name:%{DATA:[winlog][event_data][ProcessName]}$"
              "winlog_network" => "Network Information:\\nWorkstation Name:%{DATA:[winlog][event_data][WorkStationName]}\\nSource Network Address:%{IPV4:[winlog][event_data][SrcNetworkAddress]}\\nSource Port:%{NUMBER:[winlog][event_data][SourcePort]}$"
              "winlog_authentication" => "%{GREEDYDATA:[winlog][event_data][authentication]}"
            }
          }#end_grok

Of course that assumes that those 7 fields already exist.

shani · August 29, 2020, 2:07pm

this didn't work for me

error details

%{winlog_subject}\n\n%{winlog_after_subject}"}\n tag_on_failure => ["event_code_4719_dissect_again_failed"]\n }#end_dissect\n }#end_if_after_first_failed_dissect\n # apply grok to extract exact event of interest / required fields\n grok {\n break_on_match => false\n match ", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:32:in `compile_imperative'", "org/logstash/execution/AbstractPipelineExt.java:183:in `initialize'", "org/logstash/execution/JavaBasePipelineExt.java:69:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/reload.rb:53:in `execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:357:in `block in converge_state'"]}

code:

grok {
break_on_match => false
match => {
"winlog_header" => "<%{NOTSPACE}>%{SPACE}%{HOSTNAME:host_name}%{GREEDYDATA:remaining_winlog_header}"
"winlog_subject" => "Subject:\nSecurity ID:%{DATA:winlog_eventdata_SubjectUserSid}\nAccount Name:%{DATA:winlog_eventdata_SubjectUserName}\nAccount Domain:%{DATA:winlog_eventdata_SubjectDomainName}\nLogon ID:%{GREEDYDATA:winlog_eventdata_SubjectLogonId}"
"winlog_service" => "Service:\nServer:%{DATA:service_server}\nService Name:%{DATA:winlog_eventdata_ServiceName}\n"
"winlog_process" => "Process Information:\nProcess ID:%{DATA:winlog_eventdata_ProcessId}\nProcess Name:%{DATA:winlog_eventdata_ProcessName}"
"winlog_ServiceRequestInformation" => "Service Request Information:\nPrivileges:%{DATA:service_privileges}\n"
"winlog_after_subject" => "%{GREEDYDATA:catch_all}"
}
tag_on_failure => ["event_code_4719_grokfailed"]
}#end_grok

shani · August 29, 2020, 2:15pm

Sir, if a field (i.e winlog_after_subject) doesn't exist and we apply to grok on that field how grok behaves then. we're saying in grok like extract more fields using regex on the source field but if it doesn't exists then will it throw an error or how will it treat.

Am I causing error due to this behavior?

Badger · August 29, 2020, 2:45pm

What is the actual error message?

shani · August 30, 2020, 8:46am

it's working now thank you

system · September 27, 2020, 8:46am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.