GROK errors

Everyone,

Below 2 lines of syslog messages:

2021-05-15T14:24:35.235Z - Omada[Controller] [client:A6-09-A2-5A-31-E3] was disconnected from network "LAN (default)" on [osg:90-9A-4A-FD-0D-A5](connected t>
2021-05-15T14:24:42.762Z - Omada[Controller] [client:04-92-26-4A-F2-06] is connected to [osg:90-9A-4A-FD-0D-A5] on LAN (default) network.

=====

This results in the following messages when doing a discovery in Kibana: "Provided Grok expressions do not match field value". Most like likely due to the fact that one of these has the phrase LAN (default) network in quotes.

What can be done to fix this?

Kind regards - Will

I think you need to provide more details.

Which application are you running/which version?
Which modules/fileset/metricset you're using?
Did you check the module configuration in Elastic Beats repository?
Did you try to use Grok debugger to figure out the difference?

Thank you for the quick replay.

Which application are you running/which version?

I'm running ELK as part of the 7.12

Which modules/fileset/metricset you're using?

Only filebeat with a syslog feed based on rsyslog on an Ubuntu server version 20.04.02. The syslog-config is shown below:

# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")

# provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="514")

# Write remote messages in different log => stop processing if done
if $fromhost-ip startswith '192.168.' then /var/log/syslog2elk.log
& stop

Did you check the module configuration in Elastic Beats repository?

I activated the system module on FileBeat.
And modified the system.yml - see below:

- module: system
  # Syslog
  syslog:
    enabled: true

    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    var.paths: ["/var/log/syslog2elk.log"]

Did you try to use Grok debugger to figure out the difference?

I don't know Grok debugger - let alone what to do with it.
Any pointers here are helpful.

Thank you - Will

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.