Hello. I am having some trouble parsing the following log:
<14>Jul 26 13:37:17 NL-Syn1-RI Connection: User [SYNNAS\WIN7$] from [192.168.10.111(192.168.10.111)] via [CIFS(SMB2)] accessed shared folder [sysvol].
This is what I have at the moment for my GROK pattern:
`<%{POSINT:syslog_pri}>(?<timestamp>(?:Jan(?:uary)?|Feb(?:ruary)?|Mar(?:ch)?|Apr(?:il)?|May|Jun(?:e)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|Oct(?:ober)?|Nov(?:ember)?|Dec(?:ember)?)\s+(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9]) (?:2[0123]|[01]?[0-9]):(?:[0-5][0-9]):(?:[0-5][0-9])) ?%{SYSLOGHOST:log_source} %{WORD:service}: User \[(?:%{WORD:user_domain}\\)\\?%{DATA:username}\] from \[%{IP:source_ip}|%({IP:source_ip})\] via \[%{DATA:protocol}\] accessed shared folder \[%{DATA:shared_folder}\].`
I am able to parse out everything up until "via [CIFS(SMB2)] accessed shared folder [sysvol]." The two fields "protocol" and "shared folder" display "null" on the GROK debugger. However, when splitting the log, beginning at "via", the two halves parse out perfectly fine with the current grok pattern. I tried many different ideas, but I haven't been able to find a solution.
I have one other question, where would I place "%{GREEDYDATA:message}" if I want it to contain "User [SYNNAS\WIN7$] from [192.168.10.111(192.168.10.111)] via [CIFS(SMB2)] accessed shared folder [sysvol]."
You would replace everything after '%{WORD:service}: ' (that has a trailing space) with %{GREEDYDATA:message}. Then look at the output and realize you don't want to call it message
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
