GROK Parsing Problem - IP within brackets AND parentheses

NeQter · July 26, 2018, 8:04pm

Hello. I am having some trouble parsing the following log:

<14>Jul 26 13:37:17 NL-Syn1-RI Connection: User [SYNNAS\WIN7$] from [192.168.10.111(192.168.10.111)] via [CIFS(SMB2)] accessed shared folder [sysvol].

This is what I have at the moment for my GROK pattern:

`<%{POSINT:syslog_pri}>(?<timestamp>(?:Jan(?:uary)?|Feb(?:ruary)?|Mar(?:ch)?|Apr(?:il)?|May|Jun(?:e)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|Oct(?:ober)?|Nov(?:ember)?|Dec(?:ember)?)\s+(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9]) (?:2[0123]|[01]?[0-9]):(?:[0-5][0-9]):(?:[0-5][0-9])) ?%{SYSLOGHOST:log_source} %{WORD:service}: User \[(?:%{WORD:user_domain}\\)\\?%{DATA:username}\] from \[%{IP:source_ip}|%({IP:source_ip})\] via \[%{DATA:protocol}\] accessed shared folder \[%{DATA:shared_folder}\].`

I am able to parse out everything up until "via [CIFS(SMB2)] accessed shared folder [sysvol]." The two fields "protocol" and "shared folder" display "null" on the GROK debugger. However, when splitting the log, beginning at "via", the two halves parse out perfectly fine with the current grok pattern. I tried many different ideas, but I haven't been able to find a solution.

Badger · July 26, 2018, 9:12pm

Please indent the grok pattern by 4 spaces, so that we can see what you have escaped.

Badger · July 26, 2018, 9:47pm

Not fixed yet.

NeQter · July 26, 2018, 9:57pm

Is it okay now?

Badger · July 26, 2018, 10:19pm

Yes, that's better. This does not match "[192.168.10.111(192.168.10.111)]".

 \[%{IP:source_ip}|%({IP:source_ip})\]

Change that to

 \[%{IP:source_ip}\(%{IP:source_ip}\)\]

Note that it will create an array because the two fields have the same name.

NeQter · July 26, 2018, 10:38pm

That did the trick, thanks a ton Badger!

I have one other question, where would I place "%{GREEDYDATA:message}" if I want it to contain "User [SYNNAS\WIN7$] from [192.168.10.111(192.168.10.111)] via [CIFS(SMB2)] accessed shared folder [sysvol]."

Badger · July 27, 2018, 1:10am

You would replace everything after '%{WORD:service}: ' (that has a trailing space) with %{GREEDYDATA:message}. Then look at the output and realize you don't want to call it message

NeQter · July 27, 2018, 1:47am

Ahh I see lol thanks for your help!

I was going to start a new thread, but I might as well as here...

What have I done wrong here?

log:

NAS\Admin:\tShared folder [test] was deleted.

`%{WORD:user_domain}\\%{DATA:username}:\tShared folder \[%{DATA:folder_name}\] was %{WORD:action}.`

Badger · July 27, 2018, 12:07pm

If the \t in the message is literally \t, then you need to have \\t in the grok pattern. If it is a tab then you need a tab in the grok pattern.

NeQter · July 27, 2018, 1:12pm

Yup I was missing an extra \

It's always something small that I miss lol thanks again!

system · August 24, 2018, 1:12pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.