I have used the eventlog filter to pull down Windows Event Logs via Logstash. This has worked handsomely, except for the Message (not message) field, which looks like this:
Key file operation.
Subject:
Security ID: S-1-5-18
Account Name: WINTEST2$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: [redacted]
Key Type: Machine key.
Key File Operation Information:
File Path:
C:\ProgramData[redacted]
Operation: Read persisted key from file.
Return Code: 0x0
We need this data for analysis. The raw data for that contains the same data, except with a morass of \r\n\t\r\n\t\r\n\t escape characters, which makes parsing kind of hard. I'm hacking something together to grok out individual fields as I come across them, but has anyone else come across this and come up with a more elegant solution?