In having a play with a general purpose way to get CSVs and other log data into Graylog with PowerShell I’ve been converting the files contents into JSON to then import over RAW HTTP – hardly the most speedy way but as a proof of concept it works.
However, after configuring a JSON extractor (System > Inputs > (your input) > Manage extractors), I was finding that many fields were just ‘missing’ in the message stream, in importing data from Windows Defender EDR just the Sha256 and Sha1 fields were present but with everything else seemingly skipped over.
The solution was simple – although the ‘Try’ function in Graylog displays a full set of expected fields this feature appears ever so slightly bugged in that it permits the use of whitespace characters in the key extraction example but then without ticking the ‘Replace whitespace in keys’ box it then doesn’t extract those keys with whitespaces in actual use.
Simply put – tick that ‘Replace whitespace in keys’ box, enter your chosen replacement and you’ll be good to go.
Has this page helped you? Was it worth the cost of a Coffee? If so click here to donate £4.00 to the myworldofit.net coffee fund via PayPal.
Leave a Reply