Crowdstrike logs parsing

Sevil · September 23, 2019, 1:59pm

Hello Everyone,

I am working on parsing crowdstrike logs. I haven’t worked with graylog but I know how pipeline, grok patterns workes with graylog.
Now I’m working with key-value, the following is the sample raw log from crowdstrike. IT would be a great help if you guys assist me to start with parsing.

CEF:0|CrowdStrike|FalconHost|1.0|validateEntitlementsHmac|validateEntitlementsHmac|1| cat=AuthActivityAuditEvent destinationTranslatedAddress=0.0.0.0 duser=Customer deviceProcessName=CrowdStrike Authentication cn3Label=Offset cn3=1118760 outcome=false deviceCustomDate1Label=Timestamp deviceCustomDate1=Sep 23 2019 09:52:59 rt=1569202779111

CEF:0|CrowdStrike|FalconHost|1.0|validateEntitlementsHmac|validateEntitlementsHmac|1| cat=AuthActivityAuditEvent destinationTranslatedAddress=1.1.1.1 duser=Customer deviceProcessName=CrowdStrike Authentication cn3Label=Offset cn3=1117240 outcome=false deviceCustomDate1Label=Timestamp deviceCustomDate1=Sep 22 2019 22:52:45 rt=1569211165063

jan · September 23, 2019, 2:01pm

that is a CEF message - you can use the CEF parsing rule plus a key-value rule to get all of that parsed.

Sevil · September 23, 2019, 2:14pm

Thanks a lot Jan, Could you please advise any documentation or syntax to get start with.

jan · September 23, 2019, 3:14pm

I guess you try to fool me, right?

I haven’t worked with graylog but I know how pipeline, grok patterns workes with graylog.

Could you please advise any documentation or syntax to get start with.

Sevil · September 23, 2019, 3:27pm

My Apologies Jan. I mean to say documentation with examples will help me understand where I am going wrong.
I new to graylog, whatever I know about pipelines, grok patterns i have learned in past few days.

jan · September 24, 2019, 6:28am

use the CEF function:

plus a KV extractor like:

rule "extract message kv"
when
    has_field("message")
then
    // extract all key-value from "message" 
    set_fields(
                fields: 
                        key_value(
                            value: to_string($message.message), 
                            trim_value_chars: "\"",
                            trim_key_chars: "\"",
                            delimiters: " ",
                            kv_delimiters: "="
                            ),
            );

end

and you should write where you have problems with …

Sevil · October 2, 2019, 8:15pm

Thanks a lot, Jan it worked for me.

system · October 16, 2019, 8:15pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Can Someone Help me Graylog Central (peer support) pipeline-rules	5	407	July 20, 2022
Need help with extractor grok pattern Graylog Tech Challenges pipeline-rules	6	1224	May 24, 2022
Extractor help needed Graylog Central (peer support)	2	720	March 15, 2021
Issue with Key=Value Parser Pipeline for specific log-messages Graylog Central (peer support) pipeline-rules , debuggingpl	3	1725	May 11, 2021
Key_value in pipelines vs key_value on "input extractors" Graylog Central (peer support)	0	1492	April 13, 2017

Crowdstrike logs parsing

Related Topics