GROK Filter problems

Elastic Stack Logstash
1

Hello,
im new on logstash. i use the grok debugger to get extra fields for logstash

This is my log:
<14>May 21 11:01:46 SERVERNAME01 gravityzone: [aph] {"computer_name":"PC1","computer_fqdn":"PC1.company.com","computer_ip":"10.0.0.1","computer_id":"586cfb67383c7983368b456a","product_installed":"BEST","user":{"id":"S-1-5-18","name":"SYSTEM"},"aph_type":"phishing","url":"https:\/\/xxx.com\/","status":"aph_blocked","last_blocked":"2018-05-21T11:01:43.000Z","count":1,"module":"aph"}",

At the moment i have the following pattern:
%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{WORD:PRODUKTNAME]}

i hang on [AHP], i dont now why :frowning:

Can anybody help me?

thanks!

2

I am surprised that works with that random ] at the end of PRODUKTNAME, but it does. Anyways, this will parse that...

  grok { match => [ "message", "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{WORD:PRODUKTNAME}: \[%{WORD}\] %{GREEDYDATA:[@metadata][someJSON]}" ] }
  json { source => "[@metadata][someJSON]" target => "somewhere"}
3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.