Adding further logging for flexlm

gmarquez · April 6, 2018, 12:12am

Hi,
I was able to get logstash working with flexlm-license-elk (found on github). It does a great job of finding IN/OUT and providing data! Credit to sergioedo for this!

However, I would like to add also DENIED & Warnings to logstash. They are different than the IN/OUT lines so not sure how much can be re-used.

I got it to work one way by using just GREEDYDATA but I realized I need to as well add "Warning" lines as well. So I would like to know best way to add 2 new sections for DENIED & Warning lines of log.

#parse IN/OUT license lines
if [message] =~ /OUT:/ or [message] =~ /IN:/ {
    mutate { strip => "message" } #clean initial-end spaces
    grok {
        match => [ "message", "%{DATA:checkout_time} \(%{DATA:vendor}\) (?<in_out>(OUT|IN))\: \"%{DATA:feature_name}\" %{DATA:user_id}@%{USERNAME:client_machine}" ]
    }
    mutate { replace => ["checkout_time", "%{flexlm_ts} %{checkout_time}"] }
    date { match => [ "checkout_time", "M/d/yyyy H:mm:ss" ] }
    mutate { replace => ["message", "%{+YYYY-MM-dd HH:mm:ss Z} %{vendor} %{in_out} %{feature_name} %{user_id} %{client_machine}"] }

Want to add sections for DENIED & Warning lines: HERE

} else { #discard other lines from log file
    drop { }
}

}

I copy and pasted section and modified but Logstash not liking it. I am not sure if its due to re-use of mutate/date sections or not.

I tried to add this section in the part above but doesn't like it.

if [message] =~ /DENIED:/ {
    mutate { strip => "message" } #clean initial-end spaces
    grok {
        match => [ "message", "%{DATA:checkout_time} \(%{DATA:vendor}\) (?<blocked>(DENIED))\: \"%{DATA:feature_name}\" %{DATA:user_id}@%{USERNAME:client_machine} \(%{GREEDYDATA:reason}\)" ]
    }
    mutate { replace => ["checkout_time", "%{flexlm_ts} %{checkout_time}"] }
    date { match => [ "checkout_time", "M/d/yyyy H:mm:ss" ] }
    mutate { replace => ["message", "%{+YYYY-MM-dd HH:mm:ss Z} %{vendor} %{blocked} %{feature_name} %{user_id} %{client_machine} %{reason}"] }

I also tried to search online how I could do this but somehow not finding what I need. If anyone can help to point out my mistake, it would really help me and should also allow me to add the "Warning" sections to my logstash. DENIED lines are similar to IN/OUT but also include (Reason + errcode) which I added to GREEDYDATA. Warning lines are much different and shorter but would be very important to capture.

BR!

system · May 4, 2018, 12:13am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.