Hey Guys,
how can I filter the Account Name: srvmeldedmz out of the full message in graylog.
please take a look at the picture.
Thanks for your help.
You can try something like this:
Account Name:[\s]*([^\s]*)
Hey thank you very much but, the result is the first Account Name: SBG-MELDET$ and not the Account Name: srvmeldedmz
What type of message is that and is that information available in a structured manner?
How are you ingesting these messages into Graylog?
Indeed. If you import the log lines in Gelf, the SubjectUserName, TargetUserName field etc. are automatically extracted.
If that is not possible, there are many, many, many ways to achieve what you want.
For example: first extract the whole “Account For Which Logon Filed” section to the target field (or variable in a processing pipeline) with something like
Account For Which Logon Failed:(>?(.*))Failure Information
, and then use replace with regex extractor or match with the regex I gave earlier in a pipeline.
I strongly recommend to use a tool like nxlog to get your windows logs shipped in GELF to graylog. It makes life so much easier than writing regexes
1 Like
Hey this is a Windows Event Log. I use NXLog to send it to my graylog Server.
Hey I do use NXLog to ship my windows logs to my graylog server.
This is my nxlog.conf
I also tried to send Log-Messages from “meldewesen.log” via GELF put this doesn´t work because
the Log File includes multiline Messages. There is definitly a way but I couldn´t find a solution yet.
## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/docs/
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension gelf>
#Module xm_syslog
Module xm_gelf
</Extension>
<Input in1>
Module im_mseventlog
</Input>
#<Input in2>
# Module im_file
# File "C:\Meldewesen\log\meldewesen\meldewesen.log"
# SavePos FALSE
#</Input>
<Output out>
Module om_tcp
Host 172.20.42.15
Port 12210
#Exec to_syslog_snare();
OutputType GELF_TCP
</Output>
<Route 1>
Path in1 => out
</Route>Which version of Windows are you running?
Also make sure to read NXLog Community Edition Reference Manual | NXLog Docs and NXLog Community Edition Reference Manual | NXLog Docs
FWIW, personally I like Winlogbeat better than NXLOG for fetching Windows Event Logs.
I am running a Windwos Microsoft Windows Server 2008 R2 VM.
in_mseventlog is for Windows 2003/XP. For Windows 2008 change it to im_msvistalog
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.