Creating grok patterns for Horizon View debug


(Have Aloha) #1

I am a little confused about how to regex\grok the data from the Horizon View debug logs that we are forwarding to logstash. I dont know what regex to put in the pattern. Maybe I dont even have this close?

Here are the Horizon View VDI debug lines being sent to syslog with logoff, logon and connected respectively

2015-12-04T15:26:14.697-08:00 INFO  (0B44-0DF8) <DesktopControlJMS> [DesktopTracker] User domain\bmoc logged off from machine Live6-071 for desktop live - session allocated at December 3, 2015 11:50:52 AM PST, connected for -123 mins -33 secs
2015-12-04T15:26:24.749-08:00 DEBUG (0B44-0C98) <TP-Processor3> [EventLogger] (SESSION:9d1d_***_bfdf) Info_Event:[BROKER_USERLOGGEDIN] "User domain\jdoe has logged in": ClientIpAddress=192.168.8.230, TotalUsers=72, BrokerSessionId=9d1d_***_bfdf, Module=Broker, UserDisplayName=domain\jdoe, Source=net.propero.modules.properOps.UserSessionTracker, Severity=AUDIT_SUCCESS, Time=Fri Dec 04 15:26:24 PST 2015, Node=ViewCX.DOMAIN.local, UserSID=S-1-5-21-1234565434-1234567465-456784556-4995, Acknowledged=true
2015-12-04T15:27:12.498-08:00 INFO  (0B44-0DF8) <DesktopControlJMS> [Audit] CONNECTED:Server:cn=ca75dc41-153d-4975-9be8-242554302031,ou=servers,dc=vdi,dc=vmware,dc=int;Pool:cn=test,ou=server groups,dc=vdi,dc=vmware,dc=int;DNS:TEST-023.DOMAIN.local;IP:192.168.6.76;USER:domain\jdoe;USERDN:cn=s-1-5-21-1234565434-1234567465-456784556-4995,cn=foreignsecurityprincipals,dc=vdi,dc=vmware,dc=int;BROKERUSERSID:S-1-5-21-1234565434-1234567465-456784556-4995;

/etc/logstash/conf.d/10-syslog.conf

if ("<TP-Processor3>" in [program]) {
grok {
match => ["message", "/.+?\[BROKER_USERLOGGEDIN\]/" }
add_tag => "VDI"
add_tag => "VDI-LOGGED_ON"
}
}
if ("<DesktopControlJMS>" in [program]) {
grok {
match => { "message", "/.+?\[DesktopTracker\] User.+?connected/" }
add_tag => "VDI"
add_tag => "VDI-CONNECTED"
}
grok {
match => { "message", "/.+?\[DesktopTracker\] User.+?logged off/" }
add_tag => "VDI"
add_tag => "VDI-LOGGED_OFF"
}
}
if ("VDI-LOGGED_ON" in [tags]) {
grok {
named_captures_only => true
patterns_dir => "/etc/logstash/grok/vdi.pattern"
match => { "message" => "%{LOGGED_ON}" }
}
if ("VDI-CONNECTED" in [tags]) {
grok {
named_captures_only => true
patterns_dir => "/etc/logstash/grok/vdi.pattern"
match => { "message" => "%{CONNECTED}" }
}
if ("VDI-LOGGED_OFF" in [tags]) {
grok {
named_captures_only => true
patterns_dir => "/etc/logstash/grok/vdi.pattern"
match => { "message" => "%{LOGGED_OFF}" }
}


/etc/logstash/grok/vdi.pattern:
LOGGED_ON ((%{TIMESTAMP_ISO8601:vdi_timestamp}) (%{SYSLOGFACILITY:vdi_facility}) (%{SYSLOGHOST:vdi_host}) (%{PROG:vdi_prog}) (%{DATA:vdi_subprog}) (:vdi_user) (:vdi_client_ip))
CONNECTED  ((%{TIMESTAMP_ISO8601:vdi_timestamp}) (%{SYSLOGFACILITY:vdi_facility}) (%{SYSLOGHOST:vdi_host}) (%{PROG:vdi_prog}) (%{DATA:vdi_subprog}) (:vdi_host) (:vdi_host_ip) (:vdi_user))
LOGGED_OFF  ((%{TIMESTAMP_ISO8601:vdi_timestamp}) (%{SYSLOGFACILITY:vdi_facility}) (%{SYSLOGHOST:vdi_host}) (%{PROG:vdi_prog}) (%{DATA:vdi_subprog}) (:vdi_user) (:vdi_host))

(Magnus B├Ąck) #2

Please format the configuration as code to avoid having e.g. backslashes stripped away.


(system) #3