Grok Parse Error even though regex is valid

amarc · July 10, 2017, 9:38pm

Grok Patterns: (truncated to matching patterns only)

## Fixing AVC
## Example:
## type=AVC msg=audit(1499716867.329:3287727): avc:  denied  { execute } for  pid=29362 comm=\"ld-linux-x86-64\" path=\"/usr/libexec/hal-system-sonypic\" dev=sda1 ino=529238 
## scontext=system_u:system_r:prelink_mask_t:s0-s0:c0.c1023 tcontext=system_u:object_r:hald_sonypic_exec_t:s0 tclass=file
AUDITAVCTYPE %{WORD:audit_avc_type}
AUDITAVCINFO \{ %{DATA:audit_avc_info} \}
AUDITAVC type=%{WORD:audit_type} msg=audit\(%{NUMBER:audit_epoch}:%{NUMBER:audit_counter}\): avc:  denied  \{ %{DATA:audit_avc_info} \} %{WORD}  pid=%{NUMBER:parent_pid} comm=\\"%{GREEDYDATA:command}\\" name=\\"%{GREEDYDATA:path_file}\\" dev=%{WORD:hdd_name} ino=%{NUMBER:inode_number} scontext=%{GREEDYDATA:scontext_data} tcontext=%{GREEDYDATA:scontext_data} tclass=%{WORD:target_class_type}

AUDITAVC_OTHER type=%{WORD:audit_type} msg=audit\(%{NUMBER:audit_epoch}:%{NUMBER:audit_counter}\): avc:  denied  \{ %{DATA:audit_avc_info} \} %{WORD}  pid=%{NUMBER:parent_pid} comm=\\"%{GREEDYDATA:command}\\" path=\\"%{GREEDYDATA:path_file}\\" dev=%{WORD:hdd_name} ino=%{NUMBER:inode_number} scontext=%{GREEDYDATA:scontext_data} tcontext=%{GREEDYDATA:scontext_data} tclass=%{WORD:target_class_type}

Logstash Configuration:

filter {
    if "java-logs" in [ktopic] {
        grok {
            match => ["message", "%{JAVASTACKTRACEPART}"]
        }
        grok {
            match => ["message", "%{TIMESTAMP_ISO8601:timestamp}"]
        }
        date {
            # example: 2017-06-08 06:08:41,393
            locale => "en"
            #match => ["timestamp", "yyyy-MM-dd HH:mm:ss,SSS"]
            match => ["timestamp", "ISO8601"]
            timezone => "UTC"
            remove_field => ["timestamp"]
        }
    }
    elseif "audit" in [ktopic] {
        grok {
            patterns_dir => ["/etc/logstash/pattern.d/"]
            match => {
            "message" => [
                "%{AUDITPAMLOGIN}",
                "%{AUDITSYSCALL}",
                "%{AUDITEXECVE}",
                "%{AUDITCWD}",
                "%{AUDITPATHLONG}",
                "%{AUDITPATHSHORT}",
                "%{AUDITPAMLOGIN}",
                "%{AUDITCONFIG}",
                "%{AUDITAVC}",
                "%{AUDITAVC_OTHER}"
            ]
            }
        }
        mutate {
            add_tag => ["inside_audit_grok"]
        }
        date {
            match => [ 'audit_epoch', 'UNIX' ]
        }
    }
    else {
    grok {
            match => ["message", "%{TIMESTAMP_ISO8601:timestamp}"]
            }
                date {
                    # example: 2017-06-26T23:38:31.535488+00:00
                    locale => "en"
                    match => ["timestamp", "ISO8601"]
                    timezone => "UTC"
                    remove_field => ["timestamp"]
                }
    }
            
}

Regex Validator: https://grokdebug.herokuapp.com/

Logstash STDOut:

{
       "cluster" => "xxxx",
        "offset" => 4371620,
    "input_type" => "log",
        "ktopic" => "audit",
        "source" => "/var/log/audit/audit.log",
       "message" => "type=AVC msg=audit(1499722201.270:1276981): avc:  denied  { getattr } for  pid=55358 comm=\"rsyslogd\" path=\"/var/log/audit/audit.log\" dev=sda2 ino=1179653 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:auditd_log_t:s0 tclass=file",
          "type" => "log",
          "tags" => [
        [0] "beats_input_codec_plain_applied",
        [1] "_grokparsefailure",
        [2] "inside_audit_grok"
    ],
    "@timestamp" => 2017-07-10T21:30:03.774Z,
     "node_type" => "slave",
         "fwder" => "filebeat",
      "@version" => "1",
          "beat" => {
        "hostname" => "xxxxxx",
            "name" => "xxxxx",
         "version" => "5.4.1"
    },
          "host" => "xxxxxx"
}

magnusbaeck · July 12, 2017, 3:41pm

Simplify your expressions down to a minimum (start with type=%{WORD:audit_type}). Then gradually add more and more tokens to extract more and more fields.

amarc · July 12, 2017, 9:29pm

Grok pattern should work fine because https://grokdebug.herokuapp.com/ shows that its matching the logs

magnusbaeck · July 12, 2017, 9:50pm

Grok pattern should work fine because https://grokdebug.herokuapp.com/ shows that its matching the logs

That's a discussion we can have after we sort out why your grok expression isn't working in Logstash.

Topic		Replies	Views
Getting _grokparsefailure for grok pattern on [audit_data][messages] field for modsecurity json log? Logstash	5	232	February 23, 2024
Error parsing simple log Logstash	2	299	October 18, 2019
Help with Grok (syntax issue as well as question regarding double quotes) Logstash	8	437	June 30, 2023
Grok parse failures .. Grok syntax Logstash	22	2495	November 9, 2018
Grokparse failure - but grokdebugger works Logstash	4	1064	July 6, 2017

Grok Parse Error even though regex is valid

Related topics