Parse Multiline Messages

I’m trying to parse the message below which comes into the full_message field on the GELF TCP input.

I’m having issues with creating an extractor on a multiline field, I have tried grok patterns with (?s) as suggested here but it didn’t seem to do anything. I also tried regex but its the same issue of only being able to use 1 line.

I also tried to use a pipeline but I’m having trouble figuring out the coding any help would be greatly appreciated. An example of how i might do it would be great too.

A directory service object was modified.

Subject:
Security ID: S-1-5-21-2204958825-1778247899-2594878194-3373
Account Name: user12
Account Domain: domain
Logon ID: 0x11D9404F4

Directory Service:
Name: domain.com
Type: Active Directory Domain Services

Object:
DN: CN=user name,OU=ExcludeFromPhoneDirectory,OU=IT,OU=domainUsers,OU=domainDomainResources,DC=domain,DC=local
GUID: {25DF5F5C-5E69-45A0-BDCF-41BDDF42B88B}
Class: user

Attribute:
LDAP Display Name: userPrincipalName
Syntax (OID): 2.5.5.12
Value: user1@domain.com

Operation:
Type: Value Added
Correlation ID: {43F7C446-9D4F-4FF9-A433-34DEC6ACBBB9}
Application Correlation ID: -

I’m looking for an output for each value ie.

Security ID
S-1-5-21-2204958825-1778247899-2594878194-3373

Account Name
user12

Account Domain
domain

Logon ID
0x11D9404F4

I did try using a pipeline with the code below but it doesn’t seem to do anything and I’m not sure why.

rule "Parse full_message EventID 5136"
when
    true
then
    let msg = parse_json(to_string($message.full_message));
    let prop = select_jsonpath(msg, {Type: "$.Operation.Type"});
    set_field("Type", to_string(prop.Type));
    let props = parse_json(to_string($message.Type));
    set_fields(to_map(props));
end

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.