Hello !
I have a nested part in a log I can't succeed to parse :
Here is my config :
filter {
#replace second "msg" field by "nested" field
mutate {
gsub => ["message", "Message=", " nested="]
}
kv {
source => "message"
field_split => " "
value_split => "="
}
kv {
source => "nested"
remove_char_key => " "
value_split => ":"
}
}
Result :
{
"<13>Mar 31 14:36:06 192.168.200.34 AgentDevice" => "WindowsLog",
"Computer" => "WINCOLLECT_LOGSTASH",
"RecordNumber" => "1467",
"Level" => "Log Always",
"@timestamp" => 2020-03-31T12:36:14.998Z,
"TimeGenerated" => "1585658165",
"PluginVersion" => "7.2.9.96",
"TimeWritten" => "1585658165",
"host" => "192.168.200.34",
"Keywords" => "Audit Success",
"message" => "<13>Mar 31 14:36:06 192.168.200.34 AgentDevice=WindowsLog\tAgentLogFile=Security\tPluginVersion=7.2.9.96\tSource=Microsoft-Windows-Security-Auditing\tComputer=WINCOLLECT_LOGSTASH\tOriginatingComputer=WINCOLLECT_LOGSTASH\tUser=\tDomain=\tEventID=4634\tEventIDCode=4634\tEventType=8\tEventCategory=12545\tRecordNumber=1467\tTimeGenerated=1585658165\tTimeWritten=1585658165\tLevel=Log Always\tKeywords=Audit Success\tTask=SE_ADT_LOGON_LOGOFF\tOpcode=Info\tnested=An account was logged off. Subject: Security ID: WINCOLLECT_LOGS\\Administrator Account Name: Administrator Account Domain: WINCOLLECT_LOGS Logon ID: 0xADD113 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.",
"AgentLogFile" => "Security",
"EventID" => "4634",
"port" => 50120,
"EventType" => "8",
"Subject" => "Security",
"Type" => "7",
"Domain" => "WINCOLLECT_LOGS",
"OriginatingComputer" => "WINCOLLECT_LOGSTASH",
"EventCategory" => "12545",
"EventIDCode" => "4634",
"@version" => "1",
"ID" => [
[0] "WINCOLLECT_LOGS\\Administrator",
[1] "0xADD113"
],
"Name" => "Administrator",
"nested" => "An account was logged off. Subject: Security ID: WINCOLLECT_LOGS\\Administrator Account Name: Administrator Account Domain: WINCOLLECT_LOGS Logon ID: 0xADD113 Logon Type: 7 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.",
"Task" => "SE_ADT_LOGON_LOGOFF",
"type" => "syslog",
"Opcode" => "Info",
"Source" => "Microsoft-Windows-Security-Auditing"
}
It shoud be "SecurityID" and not "ID"
It should be "AccountDomain" and not "Domain"
Ir should be "LogonType" and not "Type"
Thanks for your help !