Grok parsing using custom pattern

Elastic Stack Logstash
1

Hi
I am trying to parse a log file using grok. Basically trying to write and test grok pattern in https://grokdebug.herokuapp.com/ The patterns for the two words log "[**] [1:2123:5]" that i came upon is [**] \\[%{NUMBER\\:NUMBER\\:NUMBER:threat}\\] using custom pattern. But the grok debugger produces only curly bracket. Any insight on the grok pattern that i am missing will be appreciated . Also how can i fetch the value of level from the following log line.

[**] [1:2123:5] some text here [level: 4]

Regards

2 
\[\*\*\] \[%{NUMBER:a}:%{NUMBER:b}:%{NUMBER:c}\] %{GREEDYDATA:whatever} \[level: %{NUMBER:level}\]
3

Hi
@magnusbaeck Thank you again. With your input, I have been able to parse the log using following pattern. I do understand now why a single space in pattern also matters.

The log line

[**] [1:2123:5] INDICATOR-COMPROMISE Microsoft cmd.exe banner [**][Classification: Successful Administrator Privilege Gain] [Priority: 1] 01/13-21:51:52.996103 192.168.1.2:80 -> 192.168.1.3:1404 TCP TTL:64 TOS:0x0 ID:1997 IpLen:20 DgmLen:128 Seq: 0xBD0F2FED Ack: 0x23C533C0 Win: 0xFFFF TcpLen: 20 [Xref => http://cgi.nessus.org/plugins/dump.php3?id=11633]

The pattern

\[\*\*\] \[%{NUMBER:a}:%{NUMBER:b}:%{NUMBER:c}\] %{GREEDYDATA:whatever} \[\*\*\]\[Classification: %{GREEDYDATA:Classification}\] \[Priority: %{NUMBER:Priority}\] %{GREEDYDATA:date1}\-%{GREEDYDATA:time1} %{IP:sip}:%{NUMBER:sport} -> %{IP:dip}:%{NUMBER:dport} %{GREEDYDATA:protocol} TTL:%{NUMBER:TTL} TOS:%{GREEDYDATA:TOS} ID:%{NUMBER:ID} IpLen:%{NUMBER:IpLen} DgmLen:%{NUMBER:DgmLen} Seq: %{GREEDYDATA:seq} Ack: %{GREEDYDATA:ack} Win: %{GREEDYDATA:win} TcpLen: %{NUMBER:TcpLen} \[Xref => %{GREEDYDATA:url}\]

1350×3028 141 KB

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.