I have Windows sidecar installed and using filebeat to collect Microsoft Exchange logs to Graylog. Using dissect processor do extract log to fields.
My conf:
processors:
- dissect:
tokenizer: "%{date_time},%{client_ip},%{client_hostname},%{server_ip},%{erver_hostname},%{source_context},%{connector_id},%{source},%{event_id},%{internal_message_id},%{message_id},%{network_message_id},%{recipient_address},%{recipient_status},%{total_bytes},%{recipient_count},%{related_recipient_address},%{reference},%{message_subject},%{sender_address},%{return_path},%{message_info},%{directionality},%{tenant_id},%{original_client_ip},%{original_server_ip},%{custom_data},%{transport_traffic_type},%{log_id},%{schema_version}"
field: "message"
target_prefix: "TRACKING"
My problem is that in Exchange every field can contain “” and then there can be extra commas but filebeat reads that next field starts. Can I configure filebeat to understand that all data between “” is one field even if it contains comma ?
Normal log: field1, field2, field 3
exchange log : filed1, field2, “f,i,e,l,d,3”