Grok Parsing

Hi everyone, I am having trouble when I want to parse this Fortigate Log
<189>devname="FWFG240D" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1565130979 srcip=146.0.138.202 srcport=61103 dstip=192.168.1.1 dstport=80 proto=6 action="accept" sentbyte=617

If someone can help me, please

Your log is basically a key-value message, you do not need grok to parse it, you just need to split the part where you have the key-value pairs from the static part, the <189>, you can do this combining the dissect filter and the kv filter.

This is what I use to parse those Fortigate logs.

filter {    
    dissect {
        mapping => {
            "message" => "<%{}>%{[@metadata][kvmsg]}"
        }
        remove_field => ["message"]
    }
    kv {
        source => "[@metadata][kvmsg]"
    }
}

The dissect filter you get the key-value pairs into the nested field @metadata.kvmsg, I use the @metadata field because this field will not be present in the output document, you can user any other field name if you want the original key-value document present in your output, also, if the dissect is succesful, the original message field will be removed.

The kv filter will then parse your key-value document and give you the fields as named, for example, devname, type, subtype etc.

2 Likes

Thank you, sir, it's really helpful I'll try it :smiley:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.