Field matching based on lookup table - Page 1

#1 cmiscloni 4 years ago

Hi all,

Does Nxlog Enterprise has the possibility to request a table in order to convert some field ?

Like EventID 4624 on Windows and replace LogonType ID to a more readable string:

    &quot;2&quot;: &quot;Interactive&quot;,
    &quot;3&quot;: &quot;Network&quot;,
    &quot;4&quot;: &quot;Batch&quot;,
    &quot;5&quot;: &quot;Service&quot;,
    &quot;7&quot;: &quot;Unlock&quot;,
    &quot;8&quot;: &quot;NetworkCleartext&quot;,
    &quot;9&quot;: &quot;NewCredentials&quot;,
    &quot;10&quot;: &quot;RemoteInteractive&quot;,
    &quot;11&quot;: &quot;CachedInteractive&quot;,

Permalink

#2 ArkadiyDeactivated Nxlog ✓ 4 years ago

#1 cmiscloni

Hi all, Does Nxlog Enterprise has the possibility to request a table in order to convert some field ? Like EventID 4624 on Windows and replace LogonType ID to a more readable string: "2": "Interactive", "3": "Network", "4": "Batch", "5": "Service", "7": "Unlock", "8": "NetworkCleartext", "9": "NewCredentials", "10": "RemoteInteractive", "11": "CachedInteractive",

Hello,

It's possible but you will need to write this table in your config.
We have im_msvistalog input module, it parses incoming messages and adding additional fields like $LogonType.
With it you could use simple if-else statement to check, what is this type, and add a new field or change already existing, depends on your needs. Something like this:

<Exec>
    if $LogonType == 2 $NewMessage = "Interactive";
    else if $LogonType == 3 $NewMessage = "Network";
    else if $LogonType == 4 $NewMessage = "Batch";
    else if $LogonType == 5 $NewMessage = "Service";
</Exec>

Also you can parse the entire $raw_message using regex but it will take much more resources and I'm not is this makes any sense.
Let us know if this was useful you.

Best regards, Arch