Grok pattern matching

littlejob1 · January 29, 2020, 9:34pm

Trying to figure out the most effective way to parse the following message being received via a syslog input.

<134>1 2020-01-29T21:18:07Z 10.10.10.10 PulseSecure: - - - 2020-01-29 21:18:07 - ssl - [4.4.4.4] domain\user(Com1-Reliable)[Com1-Reliable-Grp-TST] - Closed connection to TUN-VPN port 443 after 134 seconds, with 840437 bytes read (in 1 chunks) and 682532 bytes written (in 0 chunks)

<134>1 2020-01-29T21:26:10Z 10.10.10.10 PulseSecure: - - - 2020-01-29 21:26:10 - ibos1 - [4.4.4.4] user1(Com1-Reliable)[Com1-Reliable-Grp-TST] - Login succeeded for user1/Com1-Reliable (session:00000000) from 5.5.5.5 with Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; wbx 1.0.0; Zoom 3.6.0).

Have attempted to leverage several pattern matches and building grok pattern sites to no real prevail. . any incite would be appreciated..

rugenl · January 30, 2020, 12:49am

Look toward the bottom of this file on git

littlejob1 · January 30, 2020, 2:33pm

im getting closer, trying to take the syslog message one field at a time.. stuck after the second date stamp..

log:
<134>1 2020-01-29T21:26:10Z 10.10.10.10 PulseSecure: - - - 2020-01-29 21:26:10 - ibos1 - [4.4.4.4] user1(Com1-Reliable)[Com1-Reliable-Grp-TST] - Login succeeded for user1/Com1-Reliable (session:00000000) from 5.5.5.5 with Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; wbx 1.0.0; Zoom 3.6.0).

pattern:
%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{PROG:pulse_appliance}%{SPACE}%{PROG:software}:%{SPACE}%{PROG:dash}%{SPACE}%{PROG:dash}%{SPACE}%{PROG:dash}%{SPACE}%{TIMESTAMP_ISO8601:timestamp2}%{SPACE}%{PROG:dash}

rugenl · January 30, 2020, 4:21pm

This gets a little further, but I'm just guessing at the message layout.

%{TIMESTAMP_ISO8601:timestamp} %{PROG:pulse_appliance} %{PROG:software}: - - - %{TIMESTAMP_ISO8601:timestamp2} - %{WORD:w1} - \[%{NOTSPACE:ip}\] %{GREEDYDATA:user}\[%{GREEDYDATA:group}\] - %{GREEDYDATA:logmsg}

simulate results:

{
  "software": "PulseSecure",
  "logmsg": "Login succeeded for user1/Com1-Reliable (session:00000000) from 5.5.5.5 with Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; wbx 1.0.0; Zoom 3.6.0).",
  "timestamp2": "2020-01-29 21:26:10",
  "ip": "4.4.4.4",
  "pulse_appliance": "10.10.10.10",
  "w1": "ibos1",
  "user": "user1(Com1-Reliable)",
  "timestamp": "2020-01-29T21:26:10Z",
  "group": "Com1-Reliable-Grp-TST"
}

system · February 27, 2020, 4:21pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.