Grok pattern test

hi everyone ,
i wanna do filter grok for some expression
the filter work but there is only one probleme

there is the txt :
we have detected abuse from the IP address ( 197.230.107.154 ), which according to a whois lookup is on your network. We would appreciate if you would investigate and take action as appropriate. Any feedback is welcome but not mandatory.
Log lines are given below, but please ask if you require any further information.
(If you are not the correct person to contact about this please accept our apologies - your e-mail address was extracted from the whois record by an automated process. This mail was generated by Fail2Ban.)
IP of the attacker: 197.230.107.154
You can contact us by using: abuse-reply@keyweb.de
Addresses to send to: noc_isp@meditel.ma

there is the filter grok :
%{GREEDYDATA:message} (%{IPV4:attacker}) %{GREEDYDATA:message}\n%{GREEDYDATA:message}\n*%{GREEDYDATA:message} \n*%{GREEDYDATA:message}\n*%{CISCO_REASON}: %{GREEDYDATA:attacker2} \n*%{CISCO_REASON}: %{GREEDYDATA:sender}\n*%{CISCO_REASON}: %{GREEDYDATA:receiver}

there is the rsult i get in kibana :

attacker : 197.230.107.154
attacker 2 : 197.230.107.154 You can contact us by
sender : abuse-reply@keyweb.de Addresses to send to
receiver : noc_isp@meditel.ma

what i need to do for attacker 2 and sender ?

Once again, do not use a pattern using multiple GREEDYDATA. Instead, use multiple grok patterns, each with just enough context to get the piece of data you want. For example:

grok { 
    break_on_match => false
    match => { 
        "message" => [
            "abuse from the IP address \( %{IPV4:attacker1} \)",
            "^IP of the attacker: %{IPV4:attacker2}$",
            "^You can contact us by using: %{DATA:sender}$"
        ]
    }
}
1 Like

thank u very much Badger ,

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.