Parsing the Windows Message Field (Postprocessing after eventlog filter)

I have used the eventlog filter to pull down Windows Event Logs via Logstash. This has worked handsomely, except for the Message (not message) field, which looks like this:

Key file operation.

Security ID: S-1-5-18
Account Name: WINTEST2$
Account Domain: WORKGROUP
Logon ID: 0x3E7

Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: [redacted]
Key Type: Machine key.

Key File Operation Information:
File Path:

Operation:	Read persisted key from file.
Return Code:	0x0

We need this data for analysis. The raw data for that contains the same data, except with a morass of \r\n\t\r\n\t\r\n\t escape characters, which makes parsing kind of hard. I'm hacking something together to grok out individual fields as I come across them, but has anyone else come across this and come up with a more elegant solution?

Have you tried the kv filter? With field_split set to a newline character and value_split set to ": " it might work. Otherwise the ruby filter might be the easiest way out.

1 Like