Separate Message into different event

peterch · May 16, 2018, 2:30am

Dear All,

I tried to forward some log to ELK from a device. I find all event merge into one message. May I know is it possible to separate into different event? here's the log example. Thanks

<51>May 16 10:10:35 xp SYServer: abc,,Allowed,C:\Program Files\SY\SY\38\Bin\ccSvcHst.exe,,Begin: 2018-05-16 10:08:54,End: 2018-05-16 10:08:54,Rule: ,3780,C:\PROGRAM FILES\ENTERPRISE\BES\BES.EXE,0,,C:\Program Files\SY\SY \38\Bin\ccSvcHst.exe,User: SYSTEM,Domain: ,Action Type: 10,File size (bytes): ,Device ID:
<51>May 16 10:10:35 XP SYServer: avc,,Allowed,C:\Program Files\SY\SY\38\Bin\ccSvcHst.exe,,Begin: 2018-05-16 09:45:36,End: 2018-05-16 09:45:36,Rule: ,3888,C:\PROGRAM FILES\ENTERPRISE\BES\BES.EXE,0,,C:\Program Files\SY\SY\38\Bin\ccSvcHst.exe,User: SYSTEM,Domain: ,Action Type: 10,File size (bytes): ,Device ID:

peterch · May 16, 2018, 3:52am

Dear All,

I know how to solve it using codec=> line {delimiter => "<51>"}

BTW, If I want to delimiter based on <51> or <52>, may I know how to do that.

I tried codec=> line {delimiter => "<51>", "<52>"} but fail

Christian_Dahlqvist · May 16, 2018, 4:55am

How are you forwarding the events to Logstash? Are you sending via TCP without adding a newline after each record?

peterch · May 16, 2018, 5:49am

The log is sent from a system through tcp. The system only can be configured destination ip and protocol (TCP / UDP), cannot add a new line. May I know using UDP can solve the issue?

Now I tried to use codec=> line {delimiter => "<51>"} to separate each record and succeed. But I also want to separate each record based on "<52>". Can I do like this?

Thanks

peterch · May 16, 2018, 6:53am

I have solved the issue by changing log line separate from CR to LF .

system · June 13, 2018, 7:02am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.