I’d like to have a Pipeline processor that pulls out the Antivirus Signature age and the Antispyware Signature age values from the following message.
I’ve tried looking through all the GROK documentation but can’t see anything that allows me to find and extract text from a message where the formatting is as below:
Endpoint Protection client health report (time in UTC):
Platform version: 4.18.2005.5
Engine version: 1.1.17100.2
Network Realtime Inspection engine version: 1.1.17100.2
Antivirus signature version: 1.317.1666.0
Antispyware signature version: 1.317.1666.0
Network Realtime Inspection signature version: 1.317.1666.0
RTP state: Enabled
OA state: Enabled
IOAV state: Enabled
BM state: Enabled
Antivirus signature age: 69
Antispyware signature age: 69
Last quick scan age: 0
Last full scan age: 4294967295
Antivirus signature creation time: 18/06/2020 16:23:49
Antispyware signature creation time: 18/06/2020 16:23:48
Last quick scan start time: 27/08/2020 02:54:01
Last quick scan end time: 27/08/2020 02:54:50
Last quick scan source: 2
Last full scan start time: 01/01/1601 00:00:00
Last full scan end time: 01/01/1601 00:00:00
Last full scan source: 0
Product status: 0x00080060
@xtruthx Thanks for that - how do you format that in a pipeline rule though? The grok function doesn’t have an example in the documentation and the Functions description in the rule editor just says grok(pattern, value).
If I try something like:
let ms = to_string($message.message);
let ava = grok(.*?Antivirus signature age\:\ %{INT:antivirus_signature_age}, ms);
I get a load of errors so I’m missing something, perhaps how to encapsulate the pattern?