Replace function to remove a string
Hi
Here is my configuration. However, only Sysmon events are not working because they contain "/operational: " at the beginning of the message, which causes the events to be parsed incorrectly
So I want to know how to remove "/operational: "
<Extension syslog> Module xm_syslog</Extension>
<Input in> Module im_msvistalog ReadFromLast True <QueryXML> <QueryList> <Query Id="0"> <Select Path="Application">*</Select> <Select Path="System">*</Select> <Select Path="Security">*</Select> <Select Path="Windows PowerShell">*</Select> <Select Path="Microsoft-Windows-Sysmon/Operational">*</Select> </Query> </QueryList> </QueryXML> Exec $UnixTime = integer($EventTime)/1000; </Input>
<Output devo_relay> Module om_tcp Host 192.168.29.133Port 13000
I tried Exec if ($SourceName =~ /Microsoft-Windows-Sysmon\/Operational/) { $Message = replace($Message, "/operational: ", ""); }
and
Exec if ($Message =~ /\/operational: /) { $Message = replace($Message, "/operational: ", ""); }
But all did not work
Hi @Jay1,
Kindly try the following Exec statement:
Exec if ($SourceName == 'Microsoft-Windows-Sysmon') { $raw_event = replace($raw_event, "/operational: ", ""); }
Regards,
David
