GROK Filter problems

TheOnlyOne · May 21, 2018, 11:47am

Hello,
im new on logstash. i use the grok debugger to get extra fields for logstash

This is my log:
<14>May 21 11:01:46 SERVERNAME01 gravityzone: [aph] {"computer_name":"PC1","computer_fqdn":"PC1.company.com","computer_ip":"10.0.0.1","computer_id":"586cfb67383c7983368b456a","product_installed":"BEST","user":{"id":"S-1-5-18","name":"SYSTEM"},"aph_type":"phishing","url":"https:\/\/xxx.com\/","status":"aph_blocked","last_blocked":"2018-05-21T11:01:43.000Z","count":1,"module":"aph"}",

At the moment i have the following pattern:
%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{WORD:PRODUKTNAME]}

i hang on [AHP], i dont now why

Can anybody help me?

thanks!

Badger · May 21, 2018, 1:51pm

I am surprised that works with that random ] at the end of PRODUKTNAME, but it does. Anyways, this will parse that...

  grok { match => [ "message", "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{WORD:PRODUKTNAME}: \[%{WORD}\] %{GREEDYDATA:[@metadata][someJSON]}" ] }
  json { source => "[@metadata][someJSON]" target => "somewhere"}

system · June 18, 2018, 1:51pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Grok pattern Syslog auth Logstash	3	1341	June 14, 2022
GROK pattern for syslogs Logstash	4	7091	October 13, 2021
Grok parsing syslog error Logstash	4	3760	August 30, 2018
Grok filter multiple match Logstash	4	18143	October 31, 2019
Apply filters Logstash	3	246	May 10, 2023

GROK Filter problems

Related Topics