Extracting message using GROK Patern

Hello guys
I’m extracting 3 messages from windows events 4741,4742,4743
all 3 events look the same I already extracted 1 event message using Grok Pattern and them making pipeline rule however only two are parsing logs or getting fields the other one is not parsing
here are the events message

1- A computer account was created.

Subject:

Security ID: NEWAdministrator
Account Name: Administrator
Account Domain: NEW
Logon ID: 0x27a79

2-A computer account was changed.

Subject:

Security ID: NEW\Administrator
Account Name: Administrator
Account Domain: NEW
Logon ID: 0x27a79

3- A computer account was deleted.

Subject:

Security ID: NEW\Administrator
Account Name: Administrator
Account Domain: NEW
Logon ID: 0x27a79

Here is my question I want to make a field for the title of these events
For example:- A computer account was created, changed or deleted
so that I can make a dashboard. to monitor all these events.

any one who can help please

Are you using winlogbeats as a log shipper on your windows machines? That extracts a lot of information before sending to the beats input… It’s not clear about how you are working with the message, are you suing extractors, are you working in the pipeline? Here are some tips on how to make your question clearer here and here.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.