Hello,
I'm trying to create a Logstash filter using Grok for the following log event:
2021-01-15 15:36:08.081 ERROR t:44 com.ixiasoft.physicalModel.TextmlSession.loginWithServerConnection:321 Unable to authenticate user jane.smith@domain.com com.ixia.textmlserver.corbaimpl.exceptions.ErrorImp: HRESULT <0x0> : Login failed.
Using the Grok Debugger I've come up with the following pattern match thus far:
%{TIMESTAMP_ISO8601:date} %{LOGLEVEL:loglevel}\s*\S+\s*%{NOTSPACE:logger}\s*%{GREEDYDATA:exception} %{USER:user} %{GREEDYDATA:exception2}
I know the 1st %{GREEDYDATA:exception} is not right, but I can't figure how to get past the "Unable to authenticate user" string so that I can capture the "user" field. I assume it needs to be some Regex pattern but can some one help me with this?
My ultimate goal is to be able to set an alarm in Kibana so I will need to be able to search for ("loglevel:ERROR" and "Unable to authenticate user"), and be able to display the "user" field. Ultimately, I think these are the fields I need to parse from the above log event:
"date" => "2021-01-15 15:36:08.081",
"loglevel" => "ERROR",
"user" => "jsmith", "jane.smith", "jane.smith@domain.com"
("user" could be any of the 3 patterns.)
Could some one please help with the grok pattern?
TIA!