Blason
April 19, 2020, 7:26am
1
Hi Guys,
Somehow my grok pattern is not working and can someone please help?
2020-04-18 13:02:20,391 INFO [ImapSSLServer-345] [ip=171.51.237.87;ua=com.samsung.android.email.provider;] security - cmd=Auth; account=aaaaa@bbbbb.com; protocol=imap;
And here are my parsers
%{TIMESTAMP_ISO8601:timestamp} %{WORD:level}%{SPACE:space}\[%{WORD:gibber}\]\[%{WORD:ip}\=%{IP:src_ip}\;%{WORD:UserAgent}\=%{DATA:data}\;\] %{WORD:method} \- cmd=Auth\; %{WORD:account}\=%{GREEDYDATA:emailAddress}\; %{DATA=protocol}\=%{WORD:proto}\;"
Badger
April 19, 2020, 3:06pm
2
Your pattern does not appear to allow a space between the first ] and the following [.
I suggest you read this .
Blason
April 19, 2020, 6:02pm
3
Are you talking about ] [?
345] [ip
In Fact even after that I still do not have any luck
"message" => "2020-04-18 13:02:20,391 INFO [ImapSSLServer-345] [ip=171.51.237.87;ua=com.samsung.android.email.provider;] security - cmd=Auth; account=zzzz@yyyy.com; protocol=imap;",
"tags" => [
[0] "_grokparsefailure"
],
"@version" => "1",
"@timestamp" => 2020-04-19T18:01:44.824Z,
"host" => "traplox"
Here is my config
match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} %{WORD:level}%{SPACE:space}\[%{WORD:gibber}\]\s*\[%{WORD:ip}\=%{IP:src_ip}\;%{WORD:UserAgent}\=%{DATA:da
ta}\;\]\s*%{WORD:method}\s*\-\s*cmd\=Auth\;\s*%{WORD:account}\=%{GREEDYDATA:emailAddress}\;\s*%{DATA=protocol}\=%{WORD:proto}\;"}
Badger
April 19, 2020, 7:49pm
4
Again, I suggest you read the post I linked to and build the pattern one field at a time.
system
May 17, 2020, 7:50pm
5
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.