Hello,
I'm looking for a way to parse Windows logs that are send via SYSLOG format. I don't want to change the format to an other format (like json) but when my logs are received in Elastic, the timestamp and sysloghost are parsed. However I have a field "message" with the full content.
Exemple of "message" field
<14>Jul 29 08:34:56 dc2016-20.lab.local MSWinEventLog 1 Security 820 Mon Jul 29 08:34:56 2024 4672 Microsoft-Windows-Security-Auditing N/A N/A Success Audit dc2016-20.flexlab20.local Special Logon Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: DC2016-20$ Account Domain: LAB Logon ID: 0x22BCB3 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 72413
I would like all the fields in my Windows message to be parsed. Is there a plugin, grock or other pre-made tool that would allow me to parse all Windows log fields?
Here is my logsatsh configuration :
input {
syslog {
codec => cef
syslog_field => "syslog"
timezone => "Etc/GMT"
tags => [ "direct-syslog" ]
port => 1514
}
}
filter {
if [tags] == "direct-syslog" {
grok {
match => { "message" => "<%{POSINT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_timestamp} %{GREEDYDATA:syslog_message}"}
}
date {
locale => "en"
timezone => "Etc/GMT"
match => [ "event.original", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
target => "@timestamp"
}
}
}
output {
elasticsearch {
index => "enduro-%{+YYYY.MM.dd}"
hosts => "${ELASTIC_HOSTS}"
user=> "${ELASTIC_USER}"
password=> "${ELASTIC_PASSWORD}"
cacert=> "certs/ca/ca.crt"
}
}
I feel like I'm missing something, a method I haven't seen.
Thanks for your help