When ingesting Windows event logs using the Graylog Sidecar and Winlogbeat it would be nice to be able to truncate some Windows Events to remove the boilerplate text at the bottom. Does anyone know of a good way to do this with Pipelines?
For this example I would want to remove everything starting at “This event is generated when…”
Example message:
On Graylog 5.1
Sending logs with Sidecar and Winlogbeat.
A quick and dirty way to do this would be to use the substring option and count backwords.
rule “windows remove boilerplate event id 4624”
//removes up to “This event is generated…” and adds notice
when
has_field(“winlogbeat_winlog_event_id”) && to_string($message.winlogbeat_winlog_event_id) == “4624”
then
let var_message1 = to_string($message.message);
//trims 1301 characters off the end of the message
let var_message2 = substring(var_message1,0,-1301);
set_field(“message”, concat(first:var_message2, second:(“boilerplate removed”)));
//for testing
set_field(“xtruncate_field”, “001”);
end
End of the message field would now be:
Transited Services: -
Package Name (NTLM only): NTLM V2
Key Length: 128*boilerplate removed
This will take the gls_accounted_message_size result from roughly
4953 bytes
to
3761 bytes
A reduction in size of roughly 25%.
Does anyone have a better way? Possibly with Grok or Regex?
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
