So I have been sitting here banging my head against the wall for the better half of 3-4 hours now. I have the grok filter mentioned above working and parsing out the additional fields of my windows event logs. I have logstash outputting to my ES cluster and all of the messages are making it to the cluster, however the fields that are being parsed out with grok are not showing up in Kibana.
If I run logstash to stdout I can see the fileds in the log file.
Here is a capture of the logstash stdout, the new fields are at the bottom, security_id, account_name, & account_domain" (redacted data of course )
"message" => "An account was logged off. Subject: Security ID: S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX Account Name: myuser Account Domain: MYDOMAIN Logon ID: 0x7c2d10fe Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.",
"@version" => "1",
"@timestamp" => "2016-03-04T20:52:36.434Z",
"beat" => {
"hostname" => "MY-SERVER",
"name" => "MY-SERVER"
},
"category" => "Logoff",
"computer_name" => "MY-SERVER.MY.DOMAIN",
"count" => 1,
"event_id" => 4634,
"level" => "Information",
"log_name" => "Security",
"record_number" => "2135288570",
"source_name" => "Microsoft-Windows-Security-Auditing",
"tags" => [
[0] "windows",
[1] "server",
[2] "exchnage",
[3] "beats_input_codec_plain_applied"
],
"type" => "wineventlog",
"host" => "MYSERVER",
"msg" => "An account was logged off. ",
"security_id" => "S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX",
"account_name" => "myuser ",
"account_domain" => "MYDOMAIN"
AND MY LOGSTASH CONFIG
input {
beats {
port => "5044"
#type => "wincli-log"
}
}
filter {
mutate {
gsub => [
"meassage", "\r\n", " ",
"message", "\n", " ",
"message", "\t", " "
]
}
grok {
match => { "message" => "%{GREEDYDATA:msg} Subject:.Security ID:\s%{NOTSPACE:security_id}\sAccount Name:\s%{GREEDYDATA:account_name}\sAccount Domain:\s%{NOTSPACE:account_domain}" }
}
}
output {
elasticsearch { hosts => ["elastic1:9200", "elastic2:9200", "elastic3:9200", "elastic4:9200", "elastic5:9200", "elastic6:9200"] }
stdout { codec => rubydebug }