Doubts about Grok

Hello People , I have a doubt about my filter

I have this content in my log file

{"other_logs": "127.0.0.1|28614|2018-11-28 23:51:57|srcport 50389 mwtype AvalancheBotnet-andromeda destaddr 2.2.2.2 destinyurl: dogs.ru|Moscou, RU", "source_port": "50389", "malware_name": "AvalancheBotnet-andromeda", "subject": "Host with malware malware"}

When I did the filter as below it works

    if "|" in  [other_logs] {
                     mutate {
                     split => ["other_logs", "|"]
                    add_field => { "ASN" => "%{[other_logs][1]}" }
                    add_field => { "teste3" => "%{[other_logs][3]}" }
                                              }

                                   grok {
                                              match => { "teste3" => "%{IPV4:CC}" }
                                              add_tag => ["contains_ip"]
                                                }
                                           grok {
                                              match => { "teste3" => "\: %{GREEDYDATA:domain}" }
                                              add_tag => ["contains_url"]
                                               }
                                                               }

But when I try to do as below it does not work, the filter just get the C&C IP
...
grok {
match => { "teste3" => "%{IPV4:CC}%{SPACE}%{WORD}\:%{SPACE}%{DATA:domain}" }

Someone could help me ?

Thanks

The problem with DATA is that it can match as much or as little as it wants. In this case it is matching nothing, as you will see if you add

 keep_empty_captures => true

to your grok filter, which will result in you getting

      "domain" => "",

Try

 grok { match => { "teste3" => "%{IPV4:CC}%{SPACE}%{WORD}:%{SPACE}%{NOTSPACE:domain}" } }

HOSTNAME is another option instead of NOTSPACE.

Thank you Badger !

It works

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.