Hi,
I have logs that I'm sending to Logstash from SentinelOne in an RFC-5424 format(this is the way they called it) that I wasn't sure how to handle.
I began by dividing the fields using Grok and now my issue is how to handle the following part. The goal is to use the name after the space as the key and the data after the equal sign as a value (some logs may have more/fewer fields in the data). The output eventually is JSON.
Do you have any suggestions?
[activityType@53163 activityType="5125"][activityId@53163 activityId="623003754907567206"][siteId@53163 siteId="623002780243591455"][siteName@53163 siteName="mlbcjy"][accountId@53163 accountId="622999338330619906"][accountName@53163 accountName="SentinelOne"][notificationScope@53163 notificationScope="SITE"][agentId@53163 agentId="623002794101572118"][threatId@53163 threatId="-"][comments@53163 comments="-"][userId@53163 userId="-"][data.uid@53163 data.uid="Serial"][data.creator@53163 data.creator="wsnbiw"][data.osType@53163 data.osType="windows"][data.ruleId@53163 data.ruleId="623003742878303298"][data.version@53163 data.version="N/A"][data.eventId@53163 data.eventId="492c9d6a-116d-4f0f-a04c-2c609e55f62c"][data.groupId@53163 data.groupId="623002780268757280"][data.interface@53163 data.interface="USB"][data.ruleName@53163 data.ruleName="avywou"][data.ruleType@53163 data.ruleType="productId"][data.vendorId@53163 data.vendorId="3"][data.eventTime@53163 data.eventTime="2014-11-09T11:14:33.900+03:00"][data.eventType@53163 data.eventType="blocked"][data.productId@53163 data.productId="38B83"][data.scopeName@53163 data.scopeName="mlbcjy (SentinelOne) Default Group"][data.deviceName@53163 data.deviceName="My device"][data.lmpVersion@53163 data.lmpVersion="N/A"][data.minorClass@53163 data.minorClass="N/A"][data.deviceClass@53163 data.deviceClass="01h"][data.computerName@53163 data.computerName="TEST-AGENT-WIN"][data.profileUuids@53163 data.profileUuids="N/A"][data.ruleScopeName@53163 data.ruleScopeName="site mlbcjy"][data.lastLoggedInUserName@53163 data.lastLoggedInUserName="testuser"][secondaryDescription@53163 secondaryDescription="-"][description@53163 description="-"][createdAt@53163 createdAt="2019-05-10T13:57:15.009733Z"][groupId@53163 groupId="623002780268757280"][agentUpdatedVersion@53163 agentUpdatedVersion="-"][hash@53163 hash="-"][osFamily@53163 osFamily="-"][siteId@53163 siteId="623002780243591455"][updatedAt@53163 updatedAt="2019-05-10T13:57:15.009738Z"]
Here is an the full log example from their documentation:
<36>1 2019-05-10T13:57:15.009733Z 192.0.2.4 SentinelOne 91ce403e-66c2-488e-a3ee-351615cf7512 623003754907567206 [activityType@53163 activityType="5125"][activityId@53163 activityId="623003754907567206"][siteId@53163 siteId="623002780243591455"][siteName@53163 siteName="mlbcjy"][accountId@53163 accountId="622999338330619906"][accountName@53163 accountName="SentinelOne"][notificationScope@53163 notificationScope="SITE"][agentId@53163 agentId="623002794101572118"][threatId@53163 threatId="-"][comments@53163 comments="-"][userId@53163 userId="-"][data.uid@53163 data.uid="Serial"][data.creator@53163 data.creator="wsnbiw"][data.osType@53163 data.osType="windows"][data.ruleId@53163 data.ruleId="623003742878303298"][data.version@53163 data.version="N/A"][data.eventId@53163 data.eventId="492c9d6a-116d-4f0f-a04c-2c609e55f62c"][data.groupId@53163 data.groupId="623002780268757280"][data.interface@53163 data.interface="USB"][data.ruleName@53163 data.ruleName="avywou"][data.ruleType@53163 data.ruleType="productId"][data.vendorId@53163 data.vendorId="3"][data.eventTime@53163 data.eventTime="2014-11-09T11:14:33.900+03:00"][data.eventType@53163 data.eventType="blocked"][data.productId@53163 data.productId="38B83"][data.scopeName@53163 data.scopeName="mlbcjy (SentinelOne) Default Group"][data.deviceName@53163 data.deviceName="My device"][data.lmpVersion@53163 data.lmpVersion="N/A"][data.minorClass@53163 data.minorClass="N/A"][data.deviceClass@53163 data.deviceClass="01h"][data.computerName@53163 data.computerName="TEST-AGENT-WIN"][data.profileUuids@53163 data.profileUuids="N/A"][data.ruleScopeName@53163 data.ruleScopeName="site mlbcjy"][data.lastLoggedInUserName@53163 data.lastLoggedInUserName="testuser"][secondaryDescription@53163 secondaryDescription="-"][description@53163 description="-"][createdAt@53163 createdAt="2019-05-10T13:57:15.009733Z"][groupId@53163 groupId="623002780268757280"][agentUpdatedVersion@53163 agentUpdatedVersion="-"][hash@53163 hash="-"][osFamily@53163 osFamily="-"][siteId@53163 siteId="623002780243591455"][updatedAt@53163 updatedAt="2019-05-10T13:57:15.009738Z"] USB device My device was blocked on TEST-AGENT-WIN because of rule avywou in site mlbcjy.
Thank you!