Parse and extract file name from microsoft file path

Hi guys, could’t find a solution anyhere so I hope someone here could help.

I am new to graylog and a complete beginner in Java.

I am getting logs from a windows machine and would like to make it very easy to find out who deleted a file on that computer using the windows event logs. The Windows event log gives me an object like this:

E:\SharedDrive\folder\folder\file.extension

The goal is to get the file name in its own separate field.

I wanted to do it with pipelines, so I am parsing my path with a rule:

rule “create a file_name field”
when
has_field(“ObjectName”)
then
let fix_message = replace(to_string($message.ObjectName), “\”, “+”);
let list = split("\+", fix_message);
set_field(“file_name”, list[1]);
end

Not a Java guy.

All I want is to get the last element of that parsed list:
set_field(“file_name”, list[-1])
so that I can have the actual file name.

I tried with set_field(“file_name”, list.get(list.size() - 1));

In fact, it doesn’t let me use list.size() anywhere in my code.

I can’t exoress how sorry I am for wasting your time if that’s just regular Java that I don’t get but do you think this solution would be possible?

Currently it’s displaying the file but in a somewhat hacky way using a bunch of stages for every possible position, some of which return errors as the element just isn’t there, but the file name does reliably show up in a separate field. It’s just a bit too hacky.

I would rather use regular expression, like this:
[^\\/:*?"<>|\r\n]+$

and function:

This is a beautiful solution, I tested it online, it matches the end, but it is complete magic to me. Graylog is complaining when I do it this way:

error843×205 12.1 KB

For sure more a regex/Java thing than a graylog thing but would you have some direction as to what exactly I am not escaping correctly?

Thank you

Ok I escaped the " and tried a bunch of stuff but at best I get and empty “{ }” or the logs are just gone.

This is where my hopes were:

rule “create a file_name field”
when
has_field(“ObjectName”)
then
let file_name = regex(pattern: “[^\/:?***”<>|\r\n]+$", value: to_string($message.ObjectName));
set_field(“file_name”, to_string(file_name));
end

the regex function in the manual is not discussed in detail and there are no examples. What sort of thing does regex return?

This regex doesn’t seem to be a solution.

when I use this for example [\s]([^\s]), I actually DO get some stuff: {0=D:\blabla\file.docx}

so there just isn’t a match. Something isn’t escaped correctly, so if you happen to have actually implemented this before, any ideas what’s going on?

Try to use this:

let file_name = regex("([^\\/:*?\"<>|\r\n]+$)", to_string($message.ObjectName));
set_field("file_name", to_string(file_name["0"]));

Thank you so much! Definitely way better.

Now it’s returning the whole path
\Drive\blabla\TEST\6D848C4C.tmp

([^\/:*?"<>|\r\n])+$
returns just the last letter

so close…

thank you once again, I’ll keep trying different stuff.

Hey, actually all I need is to find a pattern like this:

filename.extension
\ [letters, numbers, underscores, empty spaces] . [small letters]
I will try to figure out how to do this with Lucene but if it’s super easy for you, then I’d appreciate some help with that too. Although you have given me a lot of free help already. Much appreciated.

This is the answer:

[^\\]+$ - The forum is f**cking it up. It should be 4 x \

Thank you once again for your help!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.