Grok parsing issue


(Jiří Kolb) #1

Hello,
I am logstash newbie. Would be nice if anyone can help I tried it many times, still no luck. I used grok debuger http://grokconstructor.appspot.com/ and log is matched without issues. With following settings I am still getting _grokparsefailure as tag.

Log:
"<190>date=2017-01-16 time=15:38:09 devname=FortiGate-VM64 devid=FGVMEV0000000000 logid=0100032003 type=event subtype=system level=information vd="root" logdesc="Admin logout successful" sn=1484577398 user="admin" ui=http(10.0.0.32) action=logout status=success duration=91 reason=exit msg="Administrator admin logged out from http(10.0.0.32)""

I have added simple custom grok patterns:
FORTIDATE date=%{YEAR}-%{MONTHNUM}-%{MONTHDAY}
FORTIHEADER <%{NUMBER:syslog_index}>%{FORTIDATE:date} time=%{TIME:time} devname=%{HOST:hostname} devid=%{HOST:deviceid} logid=%{NUMBER:logid} type=%{WORD:type} subtype=%{WORD:subtype} level=%{WORD:level} vd=\"%{WORD:vdom}

logstash conf:

input {
udp {
port => 5000
type => syslog
}
}

filter {
grok {
break_on_match => true
patterns_dir => ["/usr/share/logstash/bin/patterns"]
match => [
"message", "%{FORTIHEADER}"
]
add_tag => ["fortigate"]
}
}

output {

stdout {
	codec => rubydebug
}

}

Thank you!

Jiri


(Magnus Bäck) #2

Just use a kv filter to parse the key/value pairs. Use grok to separate <190> from the key/value pairs.


(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.