Parsing variable multiline text from event log

SimonR · April 7, 2021, 11:36am

Hi Logstash experts.
Im having big issues parsing MSSQL logs from the Windows event log, and i hope someone can assist.

MSSQL logs event id 33205 to Windows event log, in a somewhat structured format, except the "Statement" field containing the SQL query.

Raw Event id looks like this:

server_principal_name:domain.local\username
server_principal_sid:123456789123456798123456
database_principal_name:test1
server_instance_name:coolServerName
database_name:coolDatabaseName
statement:with info as(
		select test123.*,
				lu.test as hellohello,
				lu.hhy    as whatIsThisEven,
		gtinInf.GTIN,
		left(case when HelloAgain.cleansedRow                is not null and HelloAgain.cleansedRow                not in (select * from #stopwords) then HelloAgain.cleansedRow                end, 1000) as Party123,
additional_information:someMoreInfoHere

By default, logstash does not know how to parse and puts everything in message field.

My first solution was to use KV filter to specify ":" as value split, and "\n" as field split.
This works, until it meets a multiline log.
I made a Regex that is able to capture the multiline SQL statement, but i feel like i still need to use KV filter for all the other lines, where KV filter works fine.
Am i able to use KV filter until a sudden point, and then explicitly specify the statement field using my Regex?
I have been though the Filter documentation, and KV or Gsub seems to be the way, but im not sure.

Any sugestions would be appereciated.

Note: Because the "statement" field changes ALOT depending on what queries are run, i cannot statically parse it, i think. If im approaching this wrong, please let me know

Current KV filter:

filter {
  if [event][code] == 33205 {
  kv {
  field_split => "\n"
  value_split => ":"
  remove_field => [ "{param}", "my_extraneous_field" ]
  }
 }

}

Best regards

Badger · April 7, 2021, 5:31pm

I spent 20 minutes writing a hideous ruby filter (which did not even work quite correctly) and then I realized that you can

    mutate { gsub => [ "message", "\n\s+", " " ] }
    kv { source => "[message]" value_split => ":" field_split_pattern => "\n" }

to get

   "server_principal_sid" => "123456789123456798123456",
              "statement" => "with info as( select test123.*, lu.test as hellohello, lu.hhy    as whatIsThisEven, gtinInf.GTIN, left(case when HelloAgain.cleansedRow                is not null and HelloAgain.cleansedRow                not in (select * from #stopwords) then HelloAgain.cleansedRow                end, 1000) as Party123,",
   "server_instance_name" => "coolServerName",
 "additional_information" => "someMoreInfoHere",

SimonR · April 8, 2021, 9:36am

Badger, you are truly an angel! I tested the parsing, and so far so good. All kinds of weirds statements gets parsed fine.

Thanks for your time, and effort!

SimonR · April 9, 2021, 11:35am

UPDATE:

LS parses ALMOST everything correct with the config @Badger provided, thanks!

However i come to realize that not all of the statements contains newline followed by tab.

A few statements that are run pretty often looks something like this

system · May 7, 2021, 11:35am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Parsing additional data in a windows event log Logstash	4	1679	July 9, 2018
Grock filter to parse SQL query Logstash	5	2413	July 19, 2018
Logstash parsing issue Logstash	3	339	July 13, 2018
Grab specific fields from multiline log Logstash	5	670	May 26, 2017
Parsing multiline events with logstash Logstash	1	289	May 21, 2020

Parsing variable multiline text from event log

Related topics