My 4663 Log
Pattern which i have used from the site to test
https://grokdebug.herokuapp.com/
Output
{
“messageTitle”: [
“An attempt was made to access an object.”
],
“subjectHeader”: [
“Subject:”
],
“subjectSecurityIDTitle”: [
“Security ID:”
],
“subjectSecurityID”: [
“S-1-5-21-3582699469-3819540374-2698495323-1156”
],
“accountNameTitle”: [
“Account Name:”
],
“accountName”: [
“Syed”
],
“accountDomainTitle”: [
“Account Domain:”
],
“accountDomain”: [
“xxx”
],
“accountLogonGUIDTitle”: [
“Logon ID:”
],
“accountLogonGUID”: [
“0x61162CDE”
],
“ObjectHeader”: [
“Object:”
],
“ObjectServerTitle”: [
“Object Server:”
],
“ObjectServer”: [
“Security”
],
“ObjectTypeTitle”: [
“Object Type:”
],
“ObjectType”: [
“File”
],
“ObjectNameTitle”: [
“Object Name:”
],
“ObjectName”: [
“G:\reate a cron for dnd customers with 60days period insert it in respective campaign\csc-modules-Campaigns-models\Record.php”
],
“HandleIDTitle”: [
“Handle ID:”
],
“Handle”: [
“0x27fc”
],
“objectResourceAttributesTitle”: [
“Resource Attributes:”
],
“ResourceAttributes”: [
“S:AI(RA;;;;;WD;(“IMAGELOAD”,TU,0x0,1))”
],
“procInfoHeader”: [
“Process Information:”
],
“processIDTitle”: [
“Process ID:”
],
“processID”: [
“0x4”
],
“processNameTitle”: [
“Process Name:”
],
“processName”: [
“”
],
“accessInfoHeader”: [
“Access Request Information:”
],
“accessesTitle”: [
“Accesses:”
],
“accesses”: [
“ReadAttributes”
],
“accessMaskTitle”: [
“”
],
“accessmask”: [
“”
]
}
like this get output but in graylog i am not able extract