Hi Team,
I am trying to parse the below log entries using Grok.
<158>Dec 03 04:50:03 AB-AWSA-01.abcd.xxxxxxxxxxxxxxx.com SIEMAccessLogs: Info: 10.0.0.1 "abcd\abcd@abcd.xxxxxxxxxxxxxxx.com" - [03/Dec/2020:04:50:01 +0000] "TCP_CONNECT 13.110.3.230:443" 200 760 TCP_MISS:DIRECT 187 PASSTHRU_CUSTOMCAT_7-WhiteList-WhiteList.IdProfile-WhitelistExclusion-NONE-NONE-DefaultGroup-NONE <"C_Whit",-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,"-",-,"-","-","-","-","-","-","-",32.51,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-> -
<158>Dec 02 23:57:35 AB-AWSA-01.abcd.xxxxxxxxxxxxxxx.com SIEMAccessLogs: Info: 10.0.0.1 - - [02/Dec/2020:23:57:35 +0000] "GET https://tags.xyz.com:443/site/19505?id=y-kXhsUBJ1lxVW22_Nvzyc_JsU0HWPN9xDxX8-" 200 62 TCP_MISS_SSL:DIRECT 192 DEFAULT_CASE_12-DefaultGroup-DefaultGroup-DefaultGroup-NONE-NONE-DefaultGroup-NONE <"IW_comp",1.7,1,"-",0,0,0,1,"-",-,-,-,"-",1,-,"-","-",-,-,"IW_comp",-,"Unknown","Computers and Internet","-","Unknown","Unknown","-","-",25.92,0,-,"Unknown","-",-,"-",-,-,"-","-",-,-,"-",-> -
I am using the below config to parse. The pattern works in Grok debugger, but not getting parsed with Logstash. Kindly help.
input {
file {
path => "/home/elk_user/sample/wsa_sample.log"
start_position => "beginning"
sincedb_path => "/dev/null"
}
}
filter {
grok {
match => {"message" => "<.* %{IPORHOST:host} (?<Facility>[^\d]*) %{IPORHOST:source_ip} (\"(?<domain>[^\"][^\\]*)\\(?<user>[^@]*)@.*\"|(?<domain>[-])) .* \[%{HTTPDATE:date}\] \"%{WORD:command} ((%{IPORHOST:destination_ip}:%{POSINT:destination_port})|(?<url>[^\"]*))\" %{NUMBER:response_code} .* (?<query_response>[^:]*):.* (?:\d*) (?<category>[^-]*)-%{GREEDYDATA:policy_name}-(?:.*)-(?:.*)-(?:.*)-(?:.*) < "}
add_tag => [ "got_wsa", "parse_done" ]
tag_on_failure => [ "_defaultparse" ]
remove_field => ["message"]
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
index => "wsa-%{+YYYY.MM.dd}"
}
}