Can't parse after optionnal field has been set

Travis · May 6, 2021, 8:23am

Hello !

I'm working on Cisco WSA logs. Some fields are optionnal. In particular, the filed which contains username infomation: sometimes we have "DOMAIN\smith@AD" and sometimes we have just -

When username is present, all is ok. But when username is "-", I can't parse what is following

Log sample with no issue :

<14>May 06 08:31:53 ACCESS_LOGS: Info: 1620282712.713 0 10.31.199.115 TCP_DENIED/407 0 CONNECT tunnel://nexus.officeapps.live.com:443/ "CORP\smith@AD1" DATA1

Grok pattern :

<%{POSINT:syslog_pri}>(%{SYSLOGTIMESTAMP:syslog_timestamp}) %{WORD:log_type}: %{WORD:syslog_facility}: %{NUMBER:timestamp} %{INT:elaspsed_time} %{IP:client_ip} %{WORD:result_code}/%{NUMBER:response_code} %{NUMBER:response_size} %{WORD:http_method} (%{URIPROTO:http_protocol}://)?%{IPORHOST:dst_host}(?::%{POSINT:port})?(?:%{NOTSPACE:uri_param})? ("%{WORD:Domain}\\%{USERNAME:user}@%{WORD:DomainController}")? %{WORD:TESTDATA}

Log sample with issue :

<14>May 06 08:31:53 ACCESS_LOGS: Info: 1620282712.713 0 10.31.199.115 TCP_DENIED/407 0 CONNECT tunnel://nexus.officeapps.live.com:443/ - DATA1

=> no match on grok debug

Thanks for your help

Wolfram_Haussig · May 6, 2021, 8:30am

Hello Travis,

The problem is that optional fields either exist or do not exist. In your case, the value is not missing but it is replaced with a dash. Therefore, your grok pattern fails. The fix is easy - replace your username pattern with the following:
("%{WORD:Domain}\\%{USERNAME:user}@%{WORD:DomainController}"|-)

This means that either a username with domain is expected or a dash.

Best regards
Wolfram

Travis · May 6, 2021, 8:40am

Hello Wolfram,

Yes sounds logic now... it works perfectly. Thanks a lot !

system · June 3, 2021, 8:41am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.