Logstash - grok parser error #1182
Comments
I think this is due to some spacing inconsistencies. The following should work: "rest_of_msg", "Microsoft-Windows-Sysmon/Operational: INFORMATION(%{INT:event_id}): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: %{DATA:hostname}: %{DATA:event_type}: UtcTime: %{DATA:sysmon_timestamp} ProcessGuid: {%{DATA:process_guid}} ProcessId: %{INT:process_id} Image: %{DATA:image_path} CommandLine: %{DATA:process_name} %{DATA:process_arguments}CurrentDirectory: %{DATA:current_directory} User: %{DATA:user} LogonGuid: {%{DATA:logon_guid}} LogonId: %{DATA:logon_id} TerminalSessionId: %{INT:terminal_id} IntegrityLevel: %{DATA:integrity_level} Hashes: MD5=%{DATA:md5},SHA256=%{DATA:sha256} ParentProcessGuid: {%{DATA:parent_process_guid}} ParentProcessId: %{NONNEGINT:parent_process_id} ParentImage: %{DATA:parent_image_path} ParentCommandLine: %{GREEDYDATA:parent_process_name}", Inserted after the following line: in Thanks, |
Merged dougburks/securityonion-elastic#146 and added this to Beta 3 list: |
Thanks, Gents! |
Testing beta3 ISO now, just had to add this manually.. grok failures were showing and when I checked https://github.com/dougburks/elastic-test/blob/master/configfiles/6501_ossec_sysmon.conf#L25 |
found another spacing issue and just added another line containing this: (space needed at "CurrentDirectory")
|
Have you confirmed the above mentioned (1st) line is present in the config file in /opt/elastic/src/configfiles/? To confirm, are you implying that there are two different patterns that aren't being matched correctly? Would you be able to provide the raw log(s) for each so that we can confirm each is working on our side? Thanks, |
Wes, Your parser template string above was completely missing from the new beta3 ISO that I just built from. I added it like you have it above after the line you specified. What I found was that the grok errors persisted, so I looked deeper and found that there was no space at
So, I created a new parser string and added it which contains the space. I guess I can comment out the line without the space and see if errors are thrown again. Here is what the grok pattern for event 1 is in my .conf now:
|
Found another error and it all came down to more spaces..
This one basically need two spaces between everything... /-: |
The above grok pattern in regard to CurrentDirectory (single space -- to clarify, I did not modify it, but left it with no space) works for me if I run it through Grok Debugger -- that log in particular has no "process arguments" value. I'm wondering if this event is coming with both no spaces, and one and/or two spaces in between some/all terms. In regard to the second one involving two spaces, are you referring to this log coming in with both one and two spaces between terms? Not to defer from improving the OSSEC/Sysmon config files, but you may get better results with Winlogbeat shipping those Sysmon logs to Logstash. Thanks, |
I think the best approach for the existing OSSEC/Sysmon config may be to use |
Wes, you are correct I am inferring that there are two formats. I was wondering if there is a "wildcard' I could use. Thanks! I'll have to test the difference between the winbeats and ossec event forwarding. Great idea. Thanks again! |
This seems to have halted all the errors:
|
Thanks for confirming. I'll work on adding Thanks, |
FYSA: Although the sysmon logs are coming in and most are being parsed correctly - thus visible after ingest - in the "Syslog" and "Sysmon" dashboards. The problem is that there is also a high number of grok parser errors as shown in the totally awesome "stats" dashboard. Example event below:
Stats event shows:
Raw message:
The text was updated successfully, but these errors were encountered: