Parsing Windows Event Logs in syslog format

Hello,

I'm looking for a way to parse Windows logs that are send via SYSLOG format. I don't want to change the format to an other format (like json) but when my logs are received in Elastic, the timestamp and sysloghost are parsed. However I have a field "message" with the full content.

Exemple of "message" field

<14>Jul 29 08:34:56 dc2016-20.lab.local MSWinEventLog 1 Security 820 Mon Jul 29 08:34:56 2024 4672 Microsoft-Windows-Security-Auditing N/A N/A Success Audit dc2016-20.flexlab20.local Special Logon Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: DC2016-20$ Account Domain: LAB Logon ID: 0x22BCB3 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 72413

I would like all the fields in my Windows message to be parsed. Is there a plugin, grock or other pre-made tool that would allow me to parse all Windows log fields?

Here is my logsatsh configuration :

input {
  syslog {
    codec => cef 
    syslog_field => "syslog"
    timezone => "Etc/GMT"
    tags => [ "direct-syslog" ]
    port => 1514
  }
}
filter {

  if [tags] == "direct-syslog" {
    grok {
          match => { "message" => "<%{POSINT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_timestamp} %{GREEDYDATA:syslog_message}"}
    }
    date { 
      locale => "en" 
      timezone => "Etc/GMT" 
      match => [ "event.original", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ] 
      target => "@timestamp"
    }
  }
}
output {
  elasticsearch {
    index => "enduro-%{+YYYY.MM.dd}"
    hosts => "${ELASTIC_HOSTS}"
    user=> "${ELASTIC_USER}"
    password=> "${ELASTIC_PASSWORD}"
    cacert=> "certs/ca/ca.crt"
  }
}

I feel like I'm missing something, a method I haven't seen.

Thanks for your help

That is a difficult problem. See this thread. I would guess that the first few fields are positional, so you could use either dissect or grok. But once you get into event specific data the format is also event specific. There are multiple fields that contain whitespace which are also separated by whitespace. It's hard to parse that.