We are sending domain controller logs to CMK EC. An example event log that gets forwarded to EC is below…
A user account was disabled. Subject: Security ID: S-1-5-21-XXXXX-XXXXX-XXXXX-XXXXX Account Name: XXXXX Account Domain: XXXXX Logon ID: 0x433CDC83 Target Account: Security ID: S-1-5-21-XXXXX-XXXXX-XXXXX-XXXXX Account Name: XXXXX Account Domain: XXXXX
I want to use the Rewrite application rule option so that it includes a prefixed blurb "Events - " followed by “A user account was disabled”.
The desired results would be that the rewrite application option outputs as “Events - A user account was disabled”.
The help text for rewrite application states…
Replace the application (syslog tag) with this text. If you have bracketed groups in the text to match, then you can use the placeholders \1, \2, etc. for inserting the first, second etc matching group.The placeholder \0 will be replaced by the original text. This allows you to add new information in front or at the end.You can also use the placeholders $MATCH_GROUPS_MESSAGE_1$ for message match groups and $MATCH_GROUPS_SYSLOG_APPLICATION_1$ for the syslog application match groups.
I have no idea where to start with this or if this is even possible, anyone able to help me out?