Extract text from message

nick · August 27, 2020, 1:24pm

I’d like to have a Pipeline processor that pulls out the Antivirus Signature age and the Antispyware Signature age values from the following message.

I’ve tried looking through all the GROK documentation but can’t see anything that allows me to find and extract text from a message where the formatting is as below:

Endpoint Protection client health report (time in UTC):
 	Platform version: 4.18.2005.5
 	Engine version: 1.1.17100.2
 	Network Realtime Inspection engine version: 1.1.17100.2
 	Antivirus signature version: 1.317.1666.0
 	Antispyware signature version: 1.317.1666.0
 	Network Realtime Inspection signature version: 1.317.1666.0
 	RTP state: Enabled
 	OA state: Enabled
 	IOAV state: Enabled
 	BM state: Enabled
 	Antivirus signature age: 69
 	Antispyware signature age: 69
 	Last quick scan age: 0
 	Last full scan age: 4294967295
 	Antivirus signature creation time: 18/06/2020 16:23:49
 	Antispyware signature creation time: 18/06/2020 16:23:48
 	Last quick scan start time: 27/08/2020 02:54:01
 	Last quick scan end time: 27/08/2020 02:54:50
 	Last quick scan source: 2
 	Last full scan start time: 01/01/1601 00:00:00
 	Last full scan end time: 01/01/1601 00:00:00
 	Last full scan source: 0
 	Product status: 0x00080060

xtruthx · August 31, 2020, 7:39am

If you are only interested in that value you can use grok like regex. I am not really sure if this is the best way but it is possible.

Possible Grok-pattern quick and dirty:

.*?Antivirus signature age\:\ %{INT:antivirus_signature_age}

nick · September 3, 2020, 1:57pm

@xtruthx Thanks for that - how do you format that in a pipeline rule though? The grok function doesn’t have an example in the documentation and the Functions description in the rule editor just says grok(pattern, value).

If I try something like:

let ms = to_string($message.message);
let ava = grok(.*?Antivirus signature age\:\ %{INT:antivirus_signature_age}, ms);

I get a load of errors so I’m missing something, perhaps how to encapsulate the pattern?

shoothub · September 3, 2020, 2:07pm

You can find example of pipeline functions here:

For grok function check this:

github.com

Graylog2/graylog2-server/blob/master/graylog2-server/src/test/resources/org/graylog/plugins/pipelineprocessor/functions/grok.txt

rule "grok"
when true
then
    let matches = grok(pattern: "%{GREEDY:timestamp;date;yyyy-MM-dd'T'HH:mm:ss.SSSX}", value: "2015-07-31T10:05:36.773Z");
    set_fields(matches);

    // only named captures
    let matches1 = grok("%{NUM:num}", "10", true);
    set_fields(matches1);

    //test for underscore
    let matches2 = grok("%{UNDERSCORE}", "test", true);
    set_fields(matches2);
end

So your correct line will be (It’s not necessary to escape : and space) and true in last parametes turns on only named captures:

  let ava = grok(".*?Antivirus signature age: %{INT:antivirus_signature_age}", ms, true);

nick · September 3, 2020, 2:12pm

@shoothub that’s really helpful thanks, it doesn’t quite return what I’m looking for though.

The result of the above line is:

{"antivirus_signature_age":"76"}

whereas I need it to be

I can’t figure out what needs to change, grok is new to me

shoothub · September 3, 2020, 2:17pm

You need to store it as field, so please add this line after line let ava:

    set_fields(ava);

nick · September 3, 2020, 2:24pm

Thank you!

I was using set_field(“antivirus_signature_age”, ava);

I guess the grok result has the field name included.

nick · September 4, 2020, 10:47am

The final answer was to use:

let ms = to_string($message.message);
let ava = grok(".*?Antivirus signature age: %{INT:antivirus_signature_age;int}", ms, true);
set_fields(ava);

Otherwise the set_fields command sets the INT as a String.

system · September 18, 2020, 10:47am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.