Dear Comminuty
I need your help to fix my issue.
i have 2 logs in same index that should be aggregate to view all information on the Data Table visualize
input {
udp {
port => 1514
type => "alcatel"
}
}
filter {
if [type] == "alcatel" {
grok {
match => { "message" => [ "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:(%{POSINT:syslog_pid}))\s+\w+:\s+[\w+](?<status>\s+Authentication\s+failed):\s+\w+ %{DATA:job_id},",
"%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:(%{POSINT:syslog_pid}))\s+\w+:\s+[\w+](?<status>\s+Session)%{DATA:job_id},\s+\w+\s+\w+\s+%{SYSLOGHOST:srcip}",
"%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:(%{POSINT:syslog_pid}))\s+\w+:\s+[\w+](?<status>\s+Authentication\s+succeed):\s+\w+ %{DATA:job_id}," ] }
add_field => [ "received_at", "%{@timestamp}" ]
add_tag => "Alcatel"
}
if "_grokparsefailure" in [tags] {
drop {}
}
aggregate {
task_id => "%{job_id}"
code => "
map['syslog_timestamp'] ||= event.get('syslog_timestamp')
map['syslog_hostname'] ||= event.get('syslog_hostname')
map['syslog_program'] ||= event.get('syslog_program')
map['syslog_pid'] ||= event.get('syslog_pid')
map['status'] ||= event.get('status')
map['srcip'] ||= event.get('srcip')
map['job_id'] ||= event.get('job_id')
"
timeout => 2
timeout_tags => ['aggregated']
map_action => 'create_or_update'
push_map_as_event_on_timeout => true
}
mutate { gsub => [ "status", "^ ", "" ] }
}
}
I would like to generate only one logs based on job_id, because in first logs miss the src ip address and the second logs miss the authentication response.
For example I received these log:
Log 1
<78>Aug 03 19:04:41 mi-sg12-sw-01 SESSION(71) Data: [SES] Authentication failed: Session 13, access type Telnet
Log 2
Aug 03 22:25:19 mi-sg12-sw-01 SESSION(71) Data: [SES] Session 13, IP address 10.3.1.4
Log finally:
Aug 03 19:04:41 mi-sg12-sw-01 Authentication failed 13 IP Address 10.3.1.4