6601-plaso.conf windows events failing grok

[TjebbeVQ]

Hi,

Currently working on importing plaso timeline csv into ELK, but it seems that not all events get their event id, computername,.. extracted out of it.

Will try to fix it and update if I find a solution or a reason why it's giving problems.

Kind regards

T

[TjebbeVQ]

Problem seems to be related to the value 0 in any of the event_id or event level fields. Fixed it by changing the grok datatype from POSINT to INT.

From:
match => [ "desc", "[%{POSINT:event_id}.*] Source Name: %{DATA:provider} Strings: [%{DATA:payload}] Computer Name: %{HOSTNAME:computer} Record Number: %{POSINT:record_number} Event Level: %{POSINT:level}" ]

To:
match => [ "desc", "[%{INT:event_id}.*] Source Name: %{DATA:provider} Strings: [%{DATA:payload}] Computer Name: %{HOSTNAME:computer} Record Number: %{INT:record_number} Event Level: %{INT:level}" ]

T

[philhagen]

reopening to change grok statement in the parser

[TjebbeVQ]

Also found that the prefetch grok now needs "path hints" instead of "path"

match => [ "desc", "Prefetch \[%{DATA:filename}\] was executed - run count %{POSINT:run_count} path hints: %{DATA:path} hash: %{WORD:prefetch_hash} volume: %{POSINT:volume_number} \[serial number: %{DATA:volume_serial} device path: %{DATA:device_path}\]" ]