Grok an IP address and username

uklipse · August 7, 2019, 8:56pm

Hi, I have the following text below that I'm trying to parse just the IP and username. I've tried adding all the text prior to the IP but still nothing. Even if I just put 1.1.1.1 into the Grok Debugger and %{IP} as the filter, I get nothing so I think there's something very basic I'm missing and could use some help.

Gateway user authentication succeeded. Login from:119.146.12.113, Source region: US, User name: admin, Auth type: profile, Client OS version: Microsoft Windows 10 Enterprise , 64-bit.

Thanks

Badger · August 7, 2019, 9:30pm

Try

    grok {
        match => {
            "message" => [
                "%{IPV4:ip}",
                "User name: %{WORD:user},"
            ]
        }
        break_on_match => false
    }

uklipse · August 8, 2019, 2:39am

Badger to the rescue again! Thanks again!

Sorry for another question but why doesn't this work in the grok debugger site (https://grokdebug.herokuapp.com)? I thought that was were to go to test your patterns.

Topic		Replies	Views
Logstash and Grok filter problem with username Logstash	2	496	September 21, 2020
Grok help splitting username:ip properly Logstash	2	345	June 19, 2018
Grok username in iis log Logstash	9	1751	November 7, 2017
Grok part of message Logstash	5	380	June 24, 2020
Grok pattern to extract username on %{GREEDYDATA:log} Logstash	3	581	April 5, 2018

Grok an IP address and username

Related topics