Filter username or email address within space delimited string

earlsanchez · February 6, 2021, 1:20am

Hello,
I'm trying to create a Logstash filter using Grok for the following log event:

2021-01-15 15:36:08.081 ERROR   t:44    com.ixiasoft.physicalModel.TextmlSession.loginWithServerConnection:321  Unable to authenticate user jane.smith@domain.com com.ixia.textmlserver.corbaimpl.exceptions.ErrorImp: HRESULT <0x0> : Login failed.

Using the Grok Debugger I've come up with the following pattern match thus far:

%{TIMESTAMP_ISO8601:date} %{LOGLEVEL:loglevel}\s*\S+\s*%{NOTSPACE:logger}\s*%{GREEDYDATA:exception} %{USER:user} %{GREEDYDATA:exception2}

I know the 1st %{GREEDYDATA:exception} is not right, but I can't figure how to get past the "Unable to authenticate user" string so that I can capture the "user" field. I assume it needs to be some Regex pattern but can some one help me with this?

My ultimate goal is to be able to set an alarm in Kibana so I will need to be able to search for ("loglevel:ERROR" and "Unable to authenticate user"), and be able to display the "user" field. Ultimately, I think these are the fields I need to parse from the above log event:

"date" => "2021-01-15 15:36:08.081", 
"loglevel" => "ERROR", 
"user" => "jsmith", "jane.smith", "jane.smith@domain.com"
("user" could be any of the 3 patterns.)

Could some one please help with the grok pattern?

TIA!

kavierkoo · February 6, 2021, 6:04am

I tried to change your grok a little and see if this is what you are trying to achieve?

Grok Pattern:

%{TIMESTAMP_ISO8601:date} %{LOGLEVEL:loglevel}\s+\S+\s+%{NOTSPACE:logger}\s+(?<logerror>Unable to authenticate user)\s+%{NOTSPACE:email_address}\s+%{GREEDYDATA:exception2}

Output

{
  "date": [
    "2021-01-15 15:36:08.081"
  ],
  "YEAR": [
    "2021"
  ],
  "MONTHNUM": [
    "01"
  ],
  "MONTHDAY": [
    "15"
  ],
  "HOUR": [
    "15",
    null
  ],
  "MINUTE": [
    "36",
    null
  ],
  "SECOND": [
    "08.081"
  ],
  "ISO8601_TIMEZONE": [
    null
  ],
  "loglevel": [
    "ERROR"
  ],
  "logger": [
    "com.ixiasoft.physicalModel.TextmlSession.loginWithServerConnection:321"
  ],
  "logerror": [
    "Unable to authenticate user"
  ],
  "email_address": [
    "jane.smith@domain.com"
  ],
  "exception2": [
    "com.ixia.textmlserver.corbaimpl.exceptions.ErrorImp: HRESULT <0x0> : Login failed."
  ]
}

Hope this could help you!

earlsanchez · February 8, 2021, 7:11pm

Thank you @kavierkoo, your solution works. I think I was expecting it to be more complicated than it actually is.

kavierkoo · February 9, 2021, 8:13am

Glad that helped you!

system · March 9, 2021, 8:13am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.