Extract field from message field with in logs

ray_zuniga · February 11, 2019, 5:59pm

im working with an elk stack that I did not deploy. I have an "index" for dns logs. it gives me a few default fields. The message field is given, but I noticed that the "client" and "query" with in it are things I would like to get a separate field for because they contain pertinent info. how would I add this ?
what file would I edit to not he Logstash server to add those two "fields" /etc/logstash/conf.d/* ?

the client field has the # sign added to it can I separate that ?
Im an elk noob sorry

message:<30>Feb 11 09:48:11 x.x.x.x named[22083]: client x.x.x.x#56007 (z03resources.renlearnrp.com): query: z03resources.renlearnrp.com IN A +ED (x.x.x.x)

Joe_Fleming · February 11, 2019, 11:20pm

You'll need to inform whatever tool you're using to ingest that data how to break out those values. You mentioned Logstash, which is perfectly capable of doing this... but I don't know that tool so I can't really give you any assistance there. The best I can do is point you at the log parsing docs. You probably just need to update the grok pattern you're using.

ray_zuniga · February 12, 2019, 9:39pm

sorry moved it to Logstash forum instead of Kibana. but that thanks for the input

Badger · February 12, 2019, 10:29pm

I would start by picking apart the syslog header.

    grok { match => [ "message", "^<%{NUMBER:level}>%{SYSLOGTIMESTAMP:ts} %{IPV4:ip1} %{WORD:program}\[%{NUMBER:pid}\]: %{GREEDYDATA:restOfLine}" ] }

I'm not sure what fields you want from that message, but this should get you started.

    grok { match => [ "restOfLine", "^%{WORD:something1} %{IPV4:ip2}#%{NUMBER:port} \(%{HOSTNAME:host1}\): (?<query>[^(]+)\(%{IPV4:ip3}\)" ] }

That gets me

   "program" => "named",
     "query" => "query: z03resources.renlearnrp.com IN A +ED ",
       "ip1" => "1.2.3.4",
        "ts" => "Feb 11 09:48:11",
       "ip2" => "5.6.7.8",
       "pid" => "22083",
     "host1" => "z03resources.renlearnrp.com",
     "level" => "30",
      "port" => "56007",
"something1" => "client"
       "ip3" => "8.1.2.4"

ray_zuniga · February 12, 2019, 10:46pm

Thank you for the info much appreciated. This is deff something for me to go through . This would go in the /etc/logstash/conf.f/*.filter.conf file in logstash correct ?

Badger · February 12, 2019, 10:57pm

Typically you would create a configuration file in /etc/logstash/conf.d and point logstash to the file using -f

ray_zuniga · February 15, 2019, 2:28am

I normally just edit the files in there and sysctl restart logstash. is that not normal ?
do I have to start logstash with a specific conf file every time ?

Badger · February 15, 2019, 1:20pm

You can point -f at a specific file, or at a directory, in which case it will concatenate all the files in the directory to create a configuration. Whatever works for you.

system · March 15, 2019, 1:26pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Extract string from message field kibana Kibana	5	9364	February 21, 2018
Extracting from Bind 9 log files Logstash	8	5139	March 23, 2017
Extract Data from message to display each field as a column in kibana Logstash	10	10177	April 6, 2018
Extract logs from the message field and create new separate runtime fields Kibana runtime-fields	20	1528	January 5, 2023
Extract and add field Logstash	8	1110	July 6, 2017

Extract field from message field with in logs

Related Topics