Hello team. I would like ask for help.
I have log file with next records.
Mar 12 07:04:07 HATAVSM002 ERAServer[3720] <U+FEFF>{"event_type":"Threat_Event","ipv4":"10.1.3.115","hostname":"test.sebb.com","source_uuid":"7290a94d-6e8e-45b2-8a82-68bb5c03622f","occured":"12-Mar-2018 07:03:10","severity":"Warning","threat_type":"test file","threat_name":"Eicar","scanner_id":"Real-time file system protection","scan_id":"virlog.dat","engine_version":"17041 (20180312)","object_type":"file","object_uri":"file:///C:/Users/test/Downloads/51916f41-bb85-4dac-a14b-a37712d0e7f9.tmp/eicar.com","action_taken":"deleted","threat_handled":true,"need_restart":false,"username":"SEBB\\test","processname":"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe","circumstances":"Event occurred on a modified file.","hash":"B68913E1F10A52F3A8F0EDE635D1EA29D40AA2D7"}
This record is combinate json and grok. I don't know parse this record.
I used many combination but not success.
My filter
filter {
grok {
match => [ "message", "%{DATESTAMP} %{GREEDYDATA:message}" ]
}mutate { gsub => [ "message", "[\\.]", "" ] } json{ source => "message" }}