GROK Extractor: how to match exact text and assign it to a field at the same time?

Hi, I’m pushing Windows logs, including, but not limited to Security Audit messages into graylog and want to separate the latter into a dedicated stream. I’ve got a few extractors for different security audit events, one example begins like this:
“grok_pattern: %{SYSLOGTIMESTAMP} %{HOSTNAME:win_hostname} Microsoft-Windows-Security-Audit Fehler bei der Kerberos-Vorauthentifizierung. Kontoinformationen: Sicherheits-ID: %{DATA:win_security_id} Kontoname: %{DATA:win_account_name}”

My question is: I’d like to put all messages that include “Microsoft-Windows-Security-Audit” into a stream of their own, but in the stream rules, I need to specify a field that is evaluated. So far, I don’t assign the string “Microsoft-Windows-Security-Audit” to a field. I know that I could do that “%{DATA:win_mswinsecaudit}”, but then I wouldn’t be checking the string for an exact match anymore. Can I do both things at the same time with GROK? If so, how?


with the processing pipelines you could be a little more specific and you would be able to have staged rules that first split everything and later route based of that content into specific streams.

Ah, OK, thanks for the hint. I haven’t used any pipelines yet, but I’ll check them out.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.