Multiple match in one grok {}

Hi All,

I want to match multiple different fields using GROK, this doesn't work

grok {
            match => {
              "winlog_subject" => "Subject:\\nSecurity ID:%{DATA:[winlog][event_data][SubjectUserSid]}\\nAccount Name:%{DATA:[winlog][event_data][SubjectUserName]}\\nAccount Domain:%{DATA:[winlog][event_data][SubjectDomainName]}\\nLogon ID:%{DATA:[winlog][event_data][SubjectLogonId]}$"
            }
            match => {
              "winlog_logon" => ["Logon Information:\\nLogon Type:%{DATA:[winlog][event_data][LogonType]}\\nRestricted Admin Mode:%{DATA:[winlog][event_data][RestrictedAdminMode]}\\nVirtual Account:%{DATA:[winlog][event_data][VirtualAccountNumber]}\\nElevated Token:%{WORD:[winlog][event_data][ElevatedToken]}","Logon Type:%{NUMBER:[winlog][event_data][LogonType]}"]
            }
            match => {
              "winlog_impersonation" => "Impersonation Level:%{WORD:[winlog][event_data][ImpersonationLevel]}"
            }
            match => {
              "winlog_newlogon" => "New Logon:\\nSecurity ID:%{DATA:[winlog][event_data][TargetUserSid]}\\nAccount Name:%{DATA:[winlog][event_data][TargetUserName]}\\nAccount Domain:%{DATA:[winlog][event_data][TargetDomainName]}\\nLogon ID:%{DATA:[winlog][event_data][TargetLogonId]}\\nLinked Logon ID:%{DATA:[winlog][event_data][LinkedLogonId]}\\nNetwork Account Name:%{DATA:[winlog][event_data][NetworkAccountName]}\\nNetwork Account Domain:%{DATA:[winlog][event_data][NetworkAccountDomain]}\\nLogon GUID:%{DATA:[winlog][event_data][LogonGuid]}$"
            }
            match => {
              "winlog_process" => "Process Information:\\nProcess ID:%{DATA:[winlog][event_data][ProcessId]}\\nProcess Name:%{DATA:[winlog][event_data][ProcessName]}$"
            }
            match => {
              "winlog_network" => "Network Information:\\nWorkstation Name:%{DATA:[winlog][event_data][WorkStationName]}\\nSource Network Address:%{IPV4:[winlog][event_data][SrcNetworkAddress]}\\nSource Port:%{NUMBER:[winlog][event_data][SourcePort]}$"
            }
            match => {
              "winlog_authentication" => "%{GREEDYDATA:[winlog][event_data][authentication]}"
            }
          }#end_grok

Hi All,

Can anyone please reply me on this^

Would be greatful!

Generally it is a bad idea to supply an option to a filter more than once. logstash will combine them and sometimes it does it a way that you would not expect. You probably want to add a break_on_match option

Of course that assumes that those 7 fields already exist.

this didn't work for me

error details

%{winlog_subject}\n\n%{winlog_after_subject}"}\n tag_on_failure => ["event_code_4719_dissect_again_failed"]\n }#end_dissect\n }#end_if_after_first_failed_dissect\n # apply grok to extract exact event of interest / required fields\n grok {\n break_on_match => false\n match ", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:32:in compile_imperative'", "org/logstash/execution/AbstractPipelineExt.java:183:in initialize'", "org/logstash/execution/JavaBasePipelineExt.java:69:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/reload.rb:53:in execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:357:in `block in converge_state'"]}

code:

grok {
break_on_match => false
match => {
"winlog_header" => "<%{NOTSPACE}>%{SPACE}%{HOSTNAME:host_name}%{GREEDYDATA:remaining_winlog_header}"
"winlog_subject" => "Subject:\nSecurity ID:%{DATA:winlog_eventdata_SubjectUserSid}\nAccount Name:%{DATA:winlog_eventdata_SubjectUserName}\nAccount Domain:%{DATA:winlog_eventdata_SubjectDomainName}\nLogon ID:%{GREEDYDATA:winlog_eventdata_SubjectLogonId}"
"winlog_service" => "Service:\nServer:%{DATA:service_server}\nService Name:%{DATA:winlog_eventdata_ServiceName}\n"
"winlog_process" => "Process Information:\nProcess ID:%{DATA:winlog_eventdata_ProcessId}\nProcess Name:%{DATA:winlog_eventdata_ProcessName}"
"winlog_ServiceRequestInformation" => "Service Request Information:\nPrivileges:%{DATA:service_privileges}\n"
"winlog_after_subject" => "%{GREEDYDATA:catch_all}"
}
tag_on_failure => ["event_code_4719_grokfailed"]
}#end_grok

Sir, if a field (i.e winlog_after_subject) doesn't exist and we apply to grok on that field how grok behaves then. we're saying in grok like extract more fields using regex on the source field but if it doesn't exists then will it throw an error or how will it treat.

Am I causing error due to this behavior?

What is the actual error message?

it's working now thank you

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.