Filter username or email address within space delimited string

Hello,
I'm trying to create a Logstash filter using Grok for the following log event:

2021-01-15 15:36:08.081 ERROR   t:44    com.ixiasoft.physicalModel.TextmlSession.loginWithServerConnection:321  Unable to authenticate user jane.smith@domain.com com.ixia.textmlserver.corbaimpl.exceptions.ErrorImp: HRESULT <0x0> : Login failed.

Using the Grok Debugger I've come up with the following pattern match thus far:

%{TIMESTAMP_ISO8601:date} %{LOGLEVEL:loglevel}\s*\S+\s*%{NOTSPACE:logger}\s*%{GREEDYDATA:exception} %{USER:user} %{GREEDYDATA:exception2}

I know the 1st %{GREEDYDATA:exception} is not right, but I can't figure how to get past the "Unable to authenticate user" string so that I can capture the "user" field. I assume it needs to be some Regex pattern but can some one help me with this?

My ultimate goal is to be able to set an alarm in Kibana so I will need to be able to search for ("loglevel:ERROR" and "Unable to authenticate user"), and be able to display the "user" field. Ultimately, I think these are the fields I need to parse from the above log event:

"date" => "2021-01-15 15:36:08.081", 
"loglevel" => "ERROR", 
"user" => "jsmith", "jane.smith", "jane.smith@domain.com"
("user" could be any of the 3 patterns.)

Could some one please help with the grok pattern?

TIA!

I tried to change your grok a little and see if this is what you are trying to achieve?

Grok Pattern:

%{TIMESTAMP_ISO8601:date} %{LOGLEVEL:loglevel}\s+\S+\s+%{NOTSPACE:logger}\s+(?<logerror>Unable to authenticate user)\s+%{NOTSPACE:email_address}\s+%{GREEDYDATA:exception2}

Output

{
  "date": [
    "2021-01-15 15:36:08.081"
  ],
  "YEAR": [
    "2021"
  ],
  "MONTHNUM": [
    "01"
  ],
  "MONTHDAY": [
    "15"
  ],
  "HOUR": [
    "15",
    null
  ],
  "MINUTE": [
    "36",
    null
  ],
  "SECOND": [
    "08.081"
  ],
  "ISO8601_TIMEZONE": [
    null
  ],
  "loglevel": [
    "ERROR"
  ],
  "logger": [
    "com.ixiasoft.physicalModel.TextmlSession.loginWithServerConnection:321"
  ],
  "logerror": [
    "Unable to authenticate user"
  ],
  "email_address": [
    "jane.smith@domain.com"
  ],
  "exception2": [
    "com.ixia.textmlserver.corbaimpl.exceptions.ErrorImp: HRESULT <0x0> : Login failed."
  ]
}

Hope this could help you!

Thank you @kavierkoo, your solution works. I think I was expecting it to be more complicated than it actually is.

Glad that helped you!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.