Hello, I am pretty new to ELK stack. Currently I am trying to parse my application log using grok pattern. But since my logs are not structured I may have to use grok conditions, because in output I have windows event and deepsecurity logs.
I am trying the below, but It doesn't work:
filter {
if [message] =~ "\bDeep Security\b" {
mutate {
gsub => ["message", "\t", "|"]
add_tag => [ "Deep Security" ]
}
grok {
match => { "message" => "%{SYSLOG5424PRI}%{SYSLOGTIMESTAMP:devTime}" }
}
date {
match => [ "devTime", "MMM dd HH:mm:ss", "MMM dd HH:mm:ss" ]
}
kv {
source => "message"
value_split => "="
field_split => "|"
}
Desired result : deepsecurity logs be the same format as windows event logs
<135>1 2022-12-12T16:28:02Z HOSTNAME EvntSLog - - - Le service Service de licences de client (ClipSVC) est entré dans l’état : arrêté.
230 <134>Dec 12 16:28:02 HOSTNAME CEF:0|Trend Micro|Deep Security Manager|20.0.703|602|User Timed Out|