Filter specific eventlog data

ltep

Member

Joined: Nov 2022

Posts: 42
#1

Filter specific eventlog data

10-01-2023, 10:15

At the moment i'm able to retrieve logs from the Windows Eventviewer with a specific eventID into Zabbix with Agent2.
The log result has multiple lines. I would like to use only some specific lines from the result like "Account Name" and "Client Address".
Can someone guide me how this can be done?

An example of a log file:

Kerberos pre-authentication failed.
Account Information:
Security ID: DOMAIN\LAPTOP$
Account Name: LAPTOP$

Service Information:
Service Name: krbtgt/DOMAIN.COM

Network Information:
Client Address: 192.168.10.20
Client Port: 58412
Tags: None
Hamardaban

Senior Member

Joined: May 2019

Posts: 2713
#2

10-01-2023, 11:36

You can select data using a regular expression .
BUT! zabbix processes each line separately!
Therefore, the first step is to remove line breaks - do the JS preprocessing step with

Code:

return value.replace(/\n/g,' ')

Next, use a regular expression (Regular expression) like

Code:

Account Name:\s(.*)\sService Information.*Client Address:(.*)\sClient Port

to select groups with the necessary information and output them (Replace)

Code:

\1 \2

https://www.zabbix.com/documentation.../preprocessing

Last edited by Hamardaban; 10-01-2023, 11:39.
Comment

Ad Widget