Hi everyone,
I'm encountering the following problem: I've been testing my grok filter including my patterns on both Grok Debugger and Grok Constructor which works fine. Also, when running logstash with option -t
no error returns. But when running logstash, I still receive a _grokparsefailure in my tags. So my question is: How is that and how can I start debugging (as I'm pretty sure that my filters/patterns are ok)?
I'm using this logstash config
file {
path => "/media/SAP/log/security_audit_log/*"
type => "security_audit_log"
start_position => "beginning"
codec => plain {
charset => "ISO-8859-1"
}
}
}
filter {
if [type] == "security_audit_log" {
mutate {
gsub => [
replace => "message", " ", ""
]
}
grok {
patterns_dir => "/media/ELK/logstash-5.5.1/config/paterns/*"
match => { "message" => "\|%{SAPDATE:date}\|%{TIME:time}\|%{CLIENT:client}?\|%{USER:username}?%{SPACE}?\|%{TERMINAL:terminal}?%{SPACE}?\|%{TCODE:tcode}?%{SPACE}?\|%{PROGRAM:program}?%{SPACE}?\|%{AUDITCLASS:auditclass}%{SPACE}?\|%{SECURITYLEVEL:securitylevel}%{SPACE}?\|%{MESSAGETEXT:messagetext}%{SPACE}?\|"
}
}
mutate {
add_field => {
"logtimestamp" => "%{date} %{time}"
}
remove_field => [ "date", "time" ]
}
date {
match => [ "logtimestamp", "dd.MMM.yyyy HH:mm:ss" ]
timezone => "Europe/Berlin"
locale => "en"
target => "@timestamp"
}
}
}
output {
if [type] == "security_audit_log" {
elasticsearch {
hosts => "localhost:9200"
index => "%{type}-%{timestamp}"
}
}
stdout {
codec => "rubydebug"
}
}
with these patterns
SAPDATE %{MONTHDAY}.%{MONTHNUM}.%{YEAR}
CLIENT \d{3}
TERMINAL [\w+.\-]+
TCODE [A-Z0-9_]+
PROGRAM [A-Z0-9_/]+
AUDITCLASS (\w+\s?\-?/?){1,3}
SECURITYLEVEL (\w+\s?){1,3}
And here you've got some log lines (anonymized)
|Date |Time |Cl.|User |Terminal |TCode |Program |Auditclass |Security Level |AuditLog-Messagetext |
|20.07.2017|08:01:37| | | | | |System-Ereignisse |Hoch |Applikationsserver gestartet |
|24.07.2017|11:17:05|000|SOMEUSER |SOMETERMINAL |SM19 |SAPMSM19 |System-Ereignisse |Hoch |Audit Konfiguration geändert |
|24.07.2017|11:17:05|000|SOMEUSER |SOMETERMINAL |SM19 |SAPMSM19 |System-Ereignisse |Hoch |Audit: Slot 1: Klasse 191, Gewicht 5, User * , Mandant 000, |
|24.07.2017|11:17:05|000|SOMEUSER |SOMETERMINAL |SM19 |SAPMSM19 |System-Ereignisse |Hoch |Audit Konfiguration geändert |
|24.07.2017|11:17:05|000|SOMEUSER |SOMETERMINAL |SM19 |SAPMSM19 |System-Ereignisse |Hoch |Audit: Slot 2 : inaktiv |
|24.07.2017|11:19:19|000|SOMEUSER | | |RSBTCRTE |Dialoganmeldung |Mittel |Login erfolgreich (Typ=B, Methode=A ) |
|24.07.2017|11:24:14|000|SOMEUSER | | |RSBTCRTE |Dialoganmeldung |Mittel |Login erfolgreich (Typ=B, Methode=A ) |