Hello, I have problem with getting timeout executing grok. what I have learn that the value exceed limit. the error " Timeout executing grok against 'message' with value 'Value too large to output (1006 bytes)! First 255 chars are: "
here is the sample of the log (there are 13 point that i want to get and maybe the last point can be exclude)
// 1Sep 18 14:54:36 2hostname 3microsoft-windows-security-audit 44624 5An account was successfully logged on. Subject:Security ID:S-1-0-0Account Name:6**-Account Domain:7-Logon ID:0x0Logon Type:3New Logon:Security ID:S-1-5-21-1496626984-4026086081-1346473819-1199Account Name:8-Account Domain:9-Logon ID:0xbd421db9dLogon GUID:{00000000-0000-0000-0000-000000000000}Process Information:Process ID:0x0Process Name:-Network Information:Workstation Name:10-Source Network Address:11-Source Port:12-Detailed Authentication Information:13Logon Process:NtLmSsp Authentication Package:NTLMTransited Services:-Package Name (NTLM only):NTLM V2Key Length:128This event is generated when a logon session is created. Itis generated on the computer that was accessed.The subject fields indicate the account on the local systemwhich requested the logon. This is most commonly a servicesuch as the Server service, or a local process such asWinlogon.exe or Services.exe.The**
and for the grok+regex that i made
// match => { "message" => "%{SYSLOGTIMESTAMP:windows_timestamp} %{SYSLOGHOST:windows_hostname} (?<windows_service>\S+) %{POSINT:windows_eventid} (?<windows_event>.+?()|.))(.+?:.+?:.+?:)(?<windows_accname>.+?)(A.+?:)(?<windows_accdomain>.+?)(L.+?:.+?:.+?:.+?:)(?<windows_accName>.+)(A.+?:)(?<windows_accDomain>.+)(L.+?:.+:.+?:.+?:.+?:.+?:)(?<windows_workstation>.+)(S.+?:)(?<windows_srcip>.+)(S.+?:)(?<windows_srcport>.+)(D.+?:)%{GREEDYDATA:windows_message}" }
Any help would be greatly appreciated. Thanks in advanced