Grok create an array not a string

nico88 · April 9, 2020, 2:56pm

Hello,

I try to grok a tacacs authentification log file from tac plus.

Ex of log line :
2020-04-09 16:13:26 +0200 10.2.0.163 test tty2 8.8.8.8 shell login succeeded

This is my filter :

   filter {
     if [type] == "Tacacs" {

     if [log][file][path] == "/var/log/tac_plus/authentication.log" {
     grok {
           match => { "message" => "%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{HOUR}:%{MINUTE}:%{SECOND} \+0200	%{IP:destination.ip}	%{USER:user.name}%{SPACE}(%{NOTSPACE}%{SPACE})?%{IP:source.ip}	shell login %{WORD:tacacs.outcome}(%{GREEDYDATA})?" }
     }
     if [tacacs.outcome] == "succeeded" {
       mutate {
         add_field => { "event.outcome" => "success" }
       }
     } else {
       mutate {
         add_field => { "event.outcome" => "failure" }
       }
     }

     mutate {
       add_field => { "event.category" => "authentication" }
     }
   }
     }
   }

I don't know why but I get value as array:

  "destination.ip": [
      "10.2.0.163",
      "10.2.0.163"
    ],

  "event.outcome": [
      "success",
      "failure"
    ],    
"event.category": [
      "authentication",
      "authentication"
    ],
    "source.ip": [
      "8.8.8.8",
      "8.8.8.8"
    ],

Can you help me to understand where is my problem ?

Thank you for your help

grumo35 · April 9, 2020, 3:57pm

Hi,

The values you showed as array are they from an actual document request in elasticsearch ?

Can you be more precise about how you ship the logs to logstash and the configuration used ? It looks like the log is parsed by something else.

nico88 · April 9, 2020, 4:14pm

Thanks for the solution, it was that, I copy paste twice my filter...

system · May 7, 2020, 4:17pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.