Help with parsing Kaspersky logs

Not sure if this should be asked here or maybe Kibana so please let me know if this isn’t the right place…
I’ve written a grok pattern using a Grok debugger tool and the tool gives me the proper named fields but when I add the pattern as a filter conf file in logstash its being parsed differently in Kibana. As you will see in the screenshot the Reason field is including a lot of the fields I am attempting to parse but the kvdata fields are parsing correctly.


Here is my pattern:

filter {

if [type] == “kaspersky-av” {

grok {

match => {“message” => “%{SYSLOGTIMESTAMP}\s%{IPV4:SourceIP}\s%{INT}\s%{TIMESTAMP_ISO8601}\s%{HOSTNAME}\s%{DATA:Code}|%{GREEDYDATA:version} -\s%{USERNAME}\s[event@%{HOSTNAME}\s%{GREEDYDATA:kvdata}]\sEvent type:\s%{DATA:Event_type}\Name:\s%{DATA:Name}\Path:\s%{GREEDYDATA:Path}\Process ID:\s%{GREEDYDATA:Process_ID}\nUser:\s%{GREEDYDATA:User}\r\nComponent:\s%{GREEDYDATA:Component}Description:\s%{DATA:Description}Type:\s%{DATA:Type}Name:\s%{DATA:Name2}Threat level:\s%{DATA:Threat_level}Precision:\s%{DATA:Precision}\r\nAction:\s%{DATA:Action}\r\nObject:\s%{DATA:Object}Type:\s%{DATA:Type2}Path:\s%{DATA:Path2}Name:\s%{DATA:Name3}\r\nReason:\s%{DATA:Reason}\r\n”}

}

kv {

source => “kvdata”

trim_value => “”"

}

}

}

I figured out my issue. This can be marked as resolved.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.