CMK EC - How to use match groups to rewrite application text?

We are sending domain controller logs to CMK EC. An example event log that gets forwarded to EC is below…

A user account was disabled.    Subject:   Security ID:  S-1-5-21-XXXXX-XXXXX-XXXXX-XXXXX   Account Name:  XXXXX   Account Domain:  XXXXX   Logon ID:  0x433CDC83    Target Account:   Security ID:  S-1-5-21-XXXXX-XXXXX-XXXXX-XXXXX   Account Name:  XXXXX   Account Domain:  XXXXX

I want to use the Rewrite application rule option so that it includes a prefixed blurb "Events - " followed by “A user account was disabled”.

The desired results would be that the rewrite application option outputs as “Events - A user account was disabled”.

The help text for rewrite application states…

Replace the application (syslog tag) with this text. If you have bracketed groups in the text to match, then you can use the placeholders \1, \2, etc. for inserting the first, second etc matching group.The placeholder \0 will be replaced by the original text. This allows you to add new information in front or at the end.You can also use the placeholders $MATCH_GROUPS_MESSAGE_1$ for message match groups and $MATCH_GROUPS_SYSLOG_APPLICATION_1$ for the syslog application match groups.

I have no idea where to start with this or if this is even possible, anyone able to help me out?

Hello,
you could define a regex in “Text to match”:

A user account was disabled(.*)

Rewrite rule:

Events - A user account was disabled

If you want the rest of the matching text also:

Events - A user account was disabled \1

Karl

Thanks Karl, that worked!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.