Hi!
I'm working with logstash in order to parse auditd logs. I tested my patters in http://grokconstructor.appspot.com/do/match and https://grokdebug.herokuapp.com/ and seems working as expected.
But.. it's not working, always returns _grokparsefailure and I can't find the error
My log string is:
type=CWD msg=audit(1568980959.680:12113): cwd="/home/ec2-user"
My pattern is:
type=%{WORD:atype} msg=audit(%{NUMBER:aepoch}:%{NUMBER:acount}): cwd=%{GREEDYDATA:aworkingdir}
What's going on?
Parentheses have meaning in a regexp -- they define a capture group -- so you need to escape them
grok { match => { "message" => "type=%{WORD:atype} msg=audit\(%{NUMBER:aepoch}:%{NUMBER:acount}\): cwd=%{GREEDYDATA:aworkingdir}" } }This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.