Crowdstrike logs parsing

Hello Everyone,

I am working on parsing crowdstrike logs. I haven’t worked with graylog but I know how pipeline, grok patterns workes with graylog.
Now I’m working with key-value, the following is the sample raw log from crowdstrike. IT would be a great help if you guys assist me to start with parsing.

CEF:0|CrowdStrike|FalconHost|1.0|validateEntitlementsHmac|validateEntitlementsHmac|1| cat=AuthActivityAuditEvent destinationTranslatedAddress=0.0.0.0 duser=Customer deviceProcessName=CrowdStrike Authentication cn3Label=Offset cn3=1118760 outcome=false deviceCustomDate1Label=Timestamp deviceCustomDate1=Sep 23 2019 09:52:59 rt=1569202779111

CEF:0|CrowdStrike|FalconHost|1.0|validateEntitlementsHmac|validateEntitlementsHmac|1| cat=AuthActivityAuditEvent destinationTranslatedAddress=1.1.1.1 duser=Customer deviceProcessName=CrowdStrike Authentication cn3Label=Offset cn3=1117240 outcome=false deviceCustomDate1Label=Timestamp deviceCustomDate1=Sep 22 2019 22:52:45 rt=1569211165063

that is a CEF message - you can use the CEF parsing rule plus a key-value rule to get all of that parsed.

Thanks a lot Jan, Could you please advise any documentation or syntax to get start with.

I guess you try to fool me, right?

I haven’t worked with graylog but I know how pipeline, grok patterns workes with graylog.

Could you please advise any documentation or syntax to get start with.

My Apologies Jan. I mean to say documentation with examples will help me understand where I am going wrong.
I new to graylog, whatever I know about pipelines, grok patterns i have learned in past few days.

use the CEF function:

plus a KV extractor like:

rule "extract message kv"
when
    has_field("message")
then
    // extract all key-value from "message" 
    set_fields(
                fields: 
                        key_value(
                            value: to_string($message.message), 
                            trim_value_chars: "\"",
                            trim_key_chars: "\"",
                            delimiters: " ",
                            kv_delimiters: "="
                            ),
            );

end

and you should write where you have problems with …

Thanks a lot, Jan it worked for me.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.