Hi All,
I am rather new to all of this and I have been tasked to get logging working in our environment. We have a smoothwall firewall that we use for webfiltering. I have manged to get most of the logs parsed, however I would like to get the username and this is where I am getting stuck.
</> "tagset":{"Protocol":{"HTTPS":[]},"auth":{"finished":[]},"authmethod":{"core":[]},"group":{"9":[]},"localip":{"x.x.x.x":[]},"localport":{"xxx":[]},"rurlcategory":{"Connect for Chromebooks":["^https?:\/\/(?!.*?encrypted-v?tbn\\d).*?\\.?gstatic\\.com"]},"tenant":{"numbers":[]},"urlcategory":{"Connect for Chromebooks":[".ssl.gstatic.com"],"Content Delivery":[".gstatic.com"]},"username":{"domain\\user":[]}}
I have created the following filter
</> filter {
if [type] == "squid"
{
json {
source => "message"
}
date {
match => [ "time","UNIX" ]
target => "@timestamp"
remove_field => [ "time" ]
}
split {
field => "ruleid"
field => "tagset"
}
mutate {
add_field => {
"username" => "%{[tagset][username]}"
}
remove_field => ["message", "@timestamp", "tenant", "took"]
}
}
}
</>
The username that shows in Kibana is displayed as {"domain\username":[]}
Any Ideas on what I may need to do to get the username to show as domain\username?