Basic logstash grok pattern - need help

Blason · November 2, 2017, 8:37am

Hi Guys,

I have file this and I am trying to build a pattern for the same. Somehow this is not working. Can some one please help

/var/log/badhost.txt =
125.118.243.164
216.245.208.133
199.59.242.150
104.145.232.3
.
.
.
.
.

input {
# add necessary input parameters
file {
type => "threat-intel"
path => "/var/log/badhost.txt"
}
}

filter {
if [type] == "threat-intel" {
grok {
match => { "message =>"%{ clientip:IPV4}"
"geoip": {
"field": "clientip"
}
}

bad-smruti · November 2, 2017, 8:51am

The basic syntax for GROK Pattern is %{SYNTAX:SEMANTIC}. So you need to change %{ clientip:IPV4} this :

to

%{IPV4:clientip}

Refer this for the basic grok filter : Grok filter plugin | Logstash Reference [8.11] | Elastic

.

Blason · November 2, 2017, 9:55am

Thanks I am complete novice to Logstash and learning bit by bit ..Thnks for the info though

Blason · November 2, 2017, 11:41am

`input {

beats {
port => 5044
}
}

filter {
if [type] == "threat-intel" {
grok {
match => { "message" => "%{IPV4:clientip}"

    geoip {
            {
                    source => "clientip"
                    }
              }
            }
    }

}
output {
elasticsearch {
hosts => "192.168.1.15:9200"
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}
`

Any clue with this config I am not able to parse geo tagging and I am accepting data over filebeat.

magnusbaeck · November 2, 2017, 1:08pm

You've put your geoip filter inside your grok filter, i.e. your curly braces are mismatched.

Blason · November 3, 2017, 5:08am

Hey there,

Is there any sample config that I can refer to? I mean these are just a simple IP addresses with Line break.

magnusbaeck · November 3, 2017, 6:23am

Well, in this case you don't need a grok filter since the lines as you say only contain the IP address. Just point the geoip filter at the message field, or use a mutate filter to rename message to clientip or whatever you prefer.

Blason · November 3, 2017, 6:33am

so in my case it would just be match => Message?

magnusbaeck · November 3, 2017, 6:38am

No, drop the grok filter completely.

Blason · November 3, 2017, 7:13am

If you dont mind would you please give me sample snippet? Plss? My use case is simple just have IP addresses and need to parse and tag with Geo_points

magnusbaeck · November 3, 2017, 8:00am

geoip {
  source => "message"
}

Blason · November 3, 2017, 1:22pm

Thanks man.. I really appreciate that

system · December 1, 2017, 1:22pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.