GROK Parsing Problem - IP within brackets AND parentheses

NeQter · July 26, 2018, 8:04pm

Hello. I am having some trouble parsing the following log:

<14>Jul 26 13:37:17 NL-Syn1-RI Connection: User [SYNNAS\WIN7$] from [192.168.10.111(192.168.10.111)] via [CIFS(SMB2)] accessed shared folder [sysvol].

This is what I have at the moment for my GROK pattern:

`<%{POSINT:syslog_pri}>(?<timestamp>(?:Jan(?:uary)?|Feb(?:ruary)?|Mar(?:ch)?|Apr(?:il)?|May|Jun(?:e)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|Oct(?:ober)?|Nov(?:ember)?|Dec(?:ember)?)\s+(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9]) (?:2[0123]|[01]?[0-9]):(?:[0-5][0-9]):(?:[0-5][0-9])) ?%{SYSLOGHOST:log_source} %{WORD:service}: User \[(?:%{WORD:user_domain}\\)\\?%{DATA:username}\] from \[%{IP:source_ip}|%({IP:source_ip})\] via \[%{DATA:protocol}\] accessed shared folder \[%{DATA:shared_folder}\].`

I am able to parse out everything up until "via [CIFS(SMB2)] accessed shared folder [sysvol]." The two fields "protocol" and "shared folder" display "null" on the GROK debugger. However, when splitting the log, beginning at "via", the two halves parse out perfectly fine with the current grok pattern. I tried many different ideas, but I haven't been able to find a solution.

Badger · July 26, 2018, 9:12pm

Please indent the grok pattern by 4 spaces, so that we can see what you have escaped.

Badger · July 26, 2018, 9:47pm

Not fixed yet.

NeQter · July 26, 2018, 9:57pm

Is it okay now?

Badger · July 26, 2018, 10:19pm

Yes, that's better. This does not match "[192.168.10.111(192.168.10.111)]".

 \[%{IP:source_ip}|%({IP:source_ip})\]

Change that to

 \[%{IP:source_ip}\(%{IP:source_ip}\)\]

Note that it will create an array because the two fields have the same name.

NeQter · July 26, 2018, 10:38pm

That did the trick, thanks a ton Badger!

I have one other question, where would I place "%{GREEDYDATA:message}" if I want it to contain "User [SYNNAS\WIN7$] from [192.168.10.111(192.168.10.111)] via [CIFS(SMB2)] accessed shared folder [sysvol]."

Badger · July 27, 2018, 1:10am

You would replace everything after '%{WORD:service}: ' (that has a trailing space) with %{GREEDYDATA:message}. Then look at the output and realize you don't want to call it message

NeQter · July 27, 2018, 1:47am

Ahh I see lol thanks for your help!

I was going to start a new thread, but I might as well as here...

What have I done wrong here?

log:

NAS\Admin:\tShared folder [test] was deleted.

`%{WORD:user_domain}\\%{DATA:username}:\tShared folder \[%{DATA:folder_name}\] was %{WORD:action}.`

Badger · July 27, 2018, 12:07pm

If the \t in the message is literally \t, then you need to have \\t in the grok pattern. If it is a tab then you need a tab in the grok pattern.

NeQter · July 27, 2018, 1:12pm

Yup I was missing an extra \

It's always something small that I miss lol thanks again!

system · August 24, 2018, 1:12pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Log between {} Logstash	6	347	May 7, 2018
Problem parsing with grok Logstash	3	332	November 27, 2018
Working with brackets in regex Logstash	4	722	October 1, 2018
How to parse this format of log Logstash	6	320	August 5, 2019
Having problems parsing data Logstash	4	305	February 18, 2021

GROK Parsing Problem - IP within brackets AND parentheses

Related topics