Grok parse failure

jclemons7 · August 16, 2020, 7:04am

Hello,

I have the following log from snort (from PFSense)

roku [classification: misc activity] [priority: 3] {tcp} 10.0.2.11:37183 -> 151.101.65.190:80

I've created the following GROK pattern, which works fine in the grok debuggers online and in kibana developer tools with the log.

%{DATA:description} \[classification: %{DATA:classification}\] \[priority: %{DATA:alert_priority}\] \{%{DATA:protocol}\} %{DATA:source_ip}:%{DATA:source_port} -> %{DATA:destination_ip}:%{GREEDYDATA:destination_port}

When I run the pattern in Logstash, I get a _grokparsefailure.

Here is my logstash conf file.

filter 
{
	if [log_type] == "snort" 
	{	
		grok
		{
			match => { "message" => "\[%{DATA:uuid}:%{DATA:reference}:%{DATA:version}\] %{GREEDYDATA:message}" }
			overwrite => ["message"]
		}

		if [uuid] == "1" 
		{
			grok 
			{
				match => { "message" => "%{DATA:description} \[classification: %{DATA:classification}\] \[priority: %{DATA:alert_priority}\] \{%{DATA:protocol}\} %{DATA:source_ip}:%{DATA:source_port} -> %{DATA:destination_ip}:%{GREEDYDATA:destination_port}" }
			}
			
			mutate 
			{ 
				add_field => {link => "https://www.snorts.org/rule_docs/%{uuid}-%{reference}"}
			}	
		}
	}
}

jclemons7 · August 16, 2020, 8:00am

Turns out.. my fields had capital letters in it.. and a transform downstream made it look like it was all lower case.

system · September 13, 2020, 8:01am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.