Grok parsing using custom pattern

I am trying to parse a log file using grok. Basically trying to write and test grok pattern in The patterns for the two words log "[**] [1:2123:5]" that i came upon is [**] \\[%{NUMBER\\:NUMBER\\:NUMBER:threat}\\] using custom pattern. But the grok debugger produces only curly bracket. Any insight on the grok pattern that i am missing will be appreciated . Also how can i fetch the value of level from the following log line.

[**] [1:2123:5] some text here [level: 4]


\[\*\*\] \[%{NUMBER:a}:%{NUMBER:b}:%{NUMBER:c}\] %{GREEDYDATA:whatever} \[level: %{NUMBER:level}\]

@magnusbaeck Thank you again. With your input, I have been able to parse the log using following pattern. I do understand now why a single space in pattern also matters.

The log line

[**] [1:2123:5] INDICATOR-COMPROMISE Microsoft cmd.exe banner [**][Classification: Successful Administrator Privilege Gain] [Priority: 1] 01/13-21:51:52.996103 -> TCP TTL:64 TOS:0x0 ID:1997 IpLen:20 DgmLen:128 Seq: 0xBD0F2FED Ack: 0x23C533C0 Win: 0xFFFF TcpLen: 20 [Xref =>]

The pattern

\[\*\*\] \[%{NUMBER:a}:%{NUMBER:b}:%{NUMBER:c}\] %{GREEDYDATA:whatever} \[\*\*\]\[Classification: %{GREEDYDATA:Classification}\] \[Priority: %{NUMBER:Priority}\] %{GREEDYDATA:date1}\-%{GREEDYDATA:time1} %{IP:sip}:%{NUMBER:sport} -> %{IP:dip}:%{NUMBER:dport} %{GREEDYDATA:protocol} TTL:%{NUMBER:TTL} TOS:%{GREEDYDATA:TOS} ID:%{NUMBER:ID} IpLen:%{NUMBER:IpLen} DgmLen:%{NUMBER:DgmLen} Seq: %{GREEDYDATA:seq} Ack: %{GREEDYDATA:ack} Win: %{GREEDYDATA:win} TcpLen: %{NUMBER:TcpLen} \[Xref => %{GREEDYDATA:url}\]

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.