Replace return carriage associated with tab

s0p4L1n3 · May 15, 2024, 1:58pm

Hello,

I'm monitoring Windows File integrity and I want to replace some return carriage and tab that are present in the value of the field.

Field:

winlog.event_data.AccessList

Value:

%%1537
				%%1538
				%%1541
				%%4423

Target value:

%%1537 - %%1538 - %%1541 - %%4423

My filter:

filter {
  if [winlog][event_data][AccessList] {
    mutate { gsub => [ "winlog.event_data.AccessList", "\\n\\t\\t\\t\\t", " - " ] }
    mutate { gsub => [ "winlog.event_data.AccessList", "[\n\t\t\t\t]", " - " ] }
    mutate { gsub => [ "winlog.event_data.AccessList", "\n\t\t\t\t", " - " ] }
    mutate { gsub => [ "winlog.event_data.AccessList", "
				", " - " ] }
    }
}

I've tried the 4 mutate lines with gsub but none of them works.

Additionnal info
I'm currently moving from previous Log solution (graylog) and this was how I did:

rule "Winlogbeat - File Monitoring - replace tab and carriage return by simple space"

when 
    has_field("winlog_event_data_AccessList")
then
    let repl_carr = regex_replace("
				", to_string($message."winlog_event_data_AccessList")," - ",true);

    set_field ("winlog_event_data_AccessList", repl_carr);
end

Thank you for the help !

Badger · May 15, 2024, 2:08pm

You could try

mutate { gsub => [ "message", "\n\t+%", " - %" ] }

s0p4L1n3 · May 15, 2024, 2:17pm

It seem it does not work, is it because of the double %% ?

json format:

"AccessList": "%%1537\n\t\t\t\t%%1538\n\t\t\t\t%%1539\n\t\t\t\t%%1541\n\t\t\t\t%%4416\n\t\t\t\t%%4417\n\t\t\t\t%%4418\n\t\t\t\t%%4419\n\t\t\t\t%%4420\n\t\t\t\t%%4423\n\t\t\t\t%%4424\n\t\t\t\t",

message field does not contain the %%xxxx values, it contains the Human Readable values

Badger · May 15, 2024, 2:40pm

No, the single % is just used to anchor the whitespace to the value. You need to replace [message] with the actual field name, like [winlog][event_data][AccessList]

s0p4L1n3 · May 15, 2024, 2:55pm

I've followed the doc too blindfoldly ^^, juste because there was no brackets in the example, I said to myself there no need to add it... silly me.

Thanks for the tips with the single %. I'm still learning as its a bit different than Graylog process language (which use java)

My final filter is:

filter {
  if [winlog][event_data][AccessList] {
    mutate { gsub => [ "[winlog][event_data][AccessList]", "\n\t+%", " - %" ] }
    }
}