Grok part of message

Elastic Stack Logstash
1

Hi,

I'm trying to parse a part of message.
My general grok is working, but this one doesn't.

I have message like that:

Login failed for user 'USR_DELTA'. Reason: The account is disabled. [CLIENT: xxx.xxx.xxx.xxx]

In first time, i grok parse IP with:

            match => { "message" => "%{IPV4:ipClient}" }
            add_tag => ["ipClient"]

And it works well.
In a second time, i try to just parse Login failed for user 'USR_DELTA' with:

            match => { "message" => "Login failed for user={USERNAME:user}" }
            add_tag => ["user"]

But it doesn't work. I don't have error in rubydebug but i don't have a new field with the user, any idea? Problem with syntax maybe?

Best regards.
Jonathan

2

Your grok pattern has an equals sign and no quotes. Your message has a space and single quotes around the username. That is not going to match.

3

I'm trying many syntax, but it doesn't work, do you know how to match it?

4

I would expect

  match => { "message" => "Login failed for user '{USERNAME:user}'" }

to work.

5

Hi finally find like this

match => { "message" => ".*Login failed for user\s* \s*'%{USERNAME:user}'" }

And it works well :slight_smile:
Thank you very much.

Regards