This is my first grok filter, if any one has any input I'm more than welcome to receive any.
I'm able to parse a good portion of Aruba Clearpass logs but this field I'm unable split it by columns e.g. I would like to split that row into what we see bellow. I'm running Logstash 6.4, and I also included a picture of how the row looks. Bellow is my 1st grok filter.
RADIUS: MSCHAP: AD status:Logon failure (0xc000006d) \nMSCHAP: Authentication failed\nEAP-MSCHAPv2: User authentication failure
RADIUS : MSCHAP
AD status : Login failure (0xc000006d)
MSCHAP: Authentication failed
...
filter {
if "aruba" in [tags] {
grok {
match => {
"message" => "%{MONTH:Month}%{SPACE}%{MONTHDAY:MonthDay}%{SPACE}%{TIME:time}%{SPACE}(?<date>\d{4}-\d{2}-\d{2})%{SPACE} %{DATA:unknown_data} %{DATA:time} %{IPV4:Clearpass_IP} %{SYSLOGHOST:syslog_server} %{NUMBER:log_number} %{INT:unknown_data2} %{INT:unknown_data3} %{GREEDYDATA:kv_pairs}"
}
}
kv {
source => "kv_pairs"
field_split => ","
}
mutate {
# Original message has been fully parsed, so remove it.
remove_field => [ "message" ]
# Remove kv_pairs to avoid duplicate logs
remove_field => [ "kv_pairs" ]
}
}
}
[Log Sample]
Sep 25 14:47:22 2018-09-25 14: 47:22,559 10.30.42.9 syslog-server 1453 1 0 Sep 25 14:51:20 2018-09-25 14: 51:20,615 10.30.42.8 server-name 270369 1 0 Common.Username=john.doe,Common.Service=WLAN_Enterprise,Common.Roles=[Guest],RADIUS.Auth-Source=AD:three.fifty.com,RADIUS.Auth-Method=EAP-PEAP,EAP-MSCHAPv2,Common.System-Posture-Token=UNKNOWN,Common.Enforcement-Profiles=PAN-Update-Node, cci_connect Access Profile,Common.Host-MAC-Address=deadbeefdead,Common.NAS-IP-Address=1.2.3.4,Common.Error-Code=216,Common.Alerts=RADIUS: MSCHAP: AD status:Logon failure (0xc000006d) \nMSCHAP: Authentication failed\nEAP-MSCHAPv2: User authentication failure,Common.Request-Timestamp=2018-09-25 14:50:17-07
I took some of my ideas from his guy.