I am working on parsing crowdstrike logs. I haven’t worked with graylog but I know how pipeline, grok patterns workes with graylog.
Now I’m working with key-value, the following is the sample raw log from crowdstrike. IT would be a great help if you guys assist me to start with parsing.
CEF:0|CrowdStrike|FalconHost|1.0|validateEntitlementsHmac|validateEntitlementsHmac|1| cat=AuthActivityAuditEvent destinationTranslatedAddress=0.0.0.0 duser=Customer deviceProcessName=CrowdStrike Authentication cn3Label=Offset cn3=1118760 outcome=false deviceCustomDate1Label=Timestamp deviceCustomDate1=Sep 23 2019 09:52:59 rt=1569202779111
CEF:0|CrowdStrike|FalconHost|1.0|validateEntitlementsHmac|validateEntitlementsHmac|1| cat=AuthActivityAuditEvent destinationTranslatedAddress=22.214.171.124 duser=Customer deviceProcessName=CrowdStrike Authentication cn3Label=Offset cn3=1117240 outcome=false deviceCustomDate1Label=Timestamp deviceCustomDate1=Sep 22 2019 22:52:45 rt=1569211165063
that is a CEF message - you can use the CEF parsing rule plus a key-value rule to get all of that parsed.
Thanks a lot Jan, Could you please advise any documentation or syntax to get start with.
I guess you try to fool me, right?
I haven’t worked with graylog but I know how pipeline, grok patterns workes with graylog.
Could you please advise any documentation or syntax to get start with.
My Apologies Jan. I mean to say documentation with examples will help me understand where I am going wrong.
I new to graylog, whatever I know about pipelines, grok patterns i have learned in past few days.
use the CEF function:
plus a KV extractor like:
rule "extract message kv"
// extract all key-value from "message"
delimiters: " ",
and you should write where you have problems with …
Thanks a lot, Jan it worked for me.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.