GedeoN
May 27, 2020, 11:54am
1
Hi,
I'm trying to parse a part of message.
I have message like that:
Login failed for user 'USR_DELTA'. Reason: The account is disabled. [CLIENT: xxx.xxx.xxx.xxx]
In first time, i grok parse IP with:
match => { "message" => "%{IPV4:ipClient}" }
add_tag => ["ipClient"]
And it works well.
match => { "message" => "Login failed for user={USERNAME:user}" }
add_tag => ["user"]
But it doesn't work. I don't have error in rubydebug but i don't have a new field with the user, any idea? Problem with syntax maybe?
Best regards.
Badger
May 27, 2020, 12:36pm
2
Your grok pattern has an equals sign and no quotes. Your message has a space and single quotes around the username. That is not going to match.
GedeoN
May 27, 2020, 12:46pm
3
I'm trying many syntax, but it doesn't work, do you know how to match it?
Badger
May 27, 2020, 12:50pm
4
I would expect
match => { "message" => "Login failed for user '{USERNAME:user}'" }
to work.
GedeoN
May 27, 2020, 2:59pm
5
Hi finally find like this
match => { "message" => ".*Login failed for user\s* \s*'%{USERNAME:user}'" }
And it works well
Regards
system
June 24, 2020, 3:11pm
6
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
