I want to match the following Windows log using a grok expression:-
LogName=Security
EventCode=4689
EventType=0
TaskCategory=Process Termination
Type=Information
RecordNumber=6828379
How can I match new-line characters in grok?
The above log in a single line can be matched using the following expression:-
LogName=%{DATA:log_name} EventCode=%{INT:event_code} EventType=%{INT:event_type} TaskCategory=%{DATA:task_category} Type=%{NOTSPACE:type} RecordNumber=%{NOTSPACE:recordNumber}'
But when I add \s or \r\n in the above expression and try to match a newline character in the above log, it fails to match the newline character because I feel it is trying to match from the very beginning of the grok expression. What should be the grok expression for the 6 line log mentioned above?