How to get Graylog to parse new fields from powershell

Graylog Central (peer support)
,
1

I created a new Windows evenlog and am piping powershell results like this:

winlogbeat_event_data_param1
Id : 2892
Handles : 369
CPU : 105.421875
SI : 0
Name : WmiPrvSE

Id : 3084
Handles : 331
CPU : 13.5625
SI : 0
Name : WmiPrvSE

Id : 11292
Handles : 208
CPU : 1.359375
SI : 0
Name : WmiPrvSE

Id : 20416
Handles : 172
CPU : 0.03125
SI : 0
Name : WmiPrvSE

How do I get Graylog to parse each line into a field or parse a table in the eventlog like so:

message
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName

369      22    14428      14568     105.39   2892   0 WmiPrvSE                                                     
331      17    15192      11472      13.52   3084   0 WmiPrvSE                                                     
211      14     5284      12716       1.28  11292   0 WmiPrvSE

Basically what im trying to do is use powershell like osquery, and I want to ensure new fields are created for certain powershell results to a new eventlog I created.

2

how did you ingest the data into graylog?

3

I did it with winlogbeat

4

and how did that looks if transported to Graylog?

Are those information in the same field or all in the same field?

5

they are all put in messages, not separate fields or parsed.

6

then you need to parse that with REGEX or GROK for example to create new fields.

7

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.