Hi All,
I have below log content which I am capturing from security application so I want to prepare grok pattern to simplify the log however I couldn't make grok pattern for below logs. Kindly suggest what pattern is suitable for below log.
<14>Jan 2 13:54:17.389 gateway SSG[653]: INFO com.l7tech.server.policy.assertion.ServerAuditDetailAssertion: -4: API Name = Fetch/Remove | Service URI = /addusers/nanda | Latency = 8 | Total Time = 8 | Request = | Request URL = xxxx | Client IP = xx.xx.xx.xx | Routing URL = xxxx | Request Method = GET | Response = | Response Status = 404 | Error Message = {\r\n "error": "invalid_request",\r\n "error_description": "username 'nanda' does not exist!"\r\n}
Regards,
Eshwar
Badger
January 2, 2025, 2:30pm
2
I wouldn't use grok, I would use dissect and kv filters. See here for an example.
2 Likes
Rios
(Rios)
January 2, 2025, 6:46pm
3
Ho Ho Ho Santa Claus wish you all the best in 2025.
This should work.
input {
generator {
message => '<14>Jan 2 13:54:17.389 gateway SSG[653]: INFO com.l7tech.server.policy.assertion.ServerAuditDetailAssertion: -4: API Name = Fetch/Remove | Service URI = /addusers/nanda | Latency = 8 | Total Time = 8 | Request = | Request URL = https://request.com/path | Client IP = 173.5.193.143 | Routing URL = https://somewhere.com/path | Request Method = GET | Response = | Response Status = 404 | Error Message = {\r\n "error": "invalid_request",\r\n "error_description": "username \'nanda\' does not exist!"\r\n}'
count => 1
}
}
output {
stdout { codec => rubydebug{ metadata => true}}
}
filter {
dissect {
mapping => {
"message" => "<%{pid}>%{date} %{+date} %{time} %{sourcehost} %{processName}[%{processId}]: %{level} %{method}: %{value}: %{[@metadata][kvmsg]}"
}
}
kv { source => "[@metadata][kvmsg]"
allow_empty_values => true
trim_value => "[\s]"
field_split_pattern => "\|\s"
}
mutate {
convert => {
"Total Time" => "integer"
"pid" => "integer"
"Latency" => "integer"
"processId" => "integer"
"value" => "integer" }
add_field => { "[@metadata][timestamp]" => "%{date} %{time}" }
}
date {
match => [ "[@metadata][timestamp]", "MMM dd HH:mm:ss.SSS" ]
#target => "timestamp"
#timezone => "Europe/Berlin"
}
mutate{ remove_field => [ "event", "message", "host", "@version" ] }
}
Output:
{
"Request URL" => "https://request.com/path",
"date" => "Jan 2",
"Service URI" => "/addusers/nanda",
"method" => "com.l7tech.server.policy.assertion.ServerAuditDetailAssertion",
"level" => "INFO",
"@metadata" => {
"timestamp" => "Jan 2 13:54:17.389",
"kvmsg" => "API Name = Fetch/Remove | Service URI = /addusers/nanda | Latency = 8 | Total Time = 8 | Request = | Request URL = https://request.com/path | Client IP = 173.5.193.143 | Routing URL = https://somewhere.com/path | Request Method = GET | Response = | Response Status = 404 | Error Message = {\\r\\n \"error\": \"invalid_request\",\\r\\n \"error_description\": \"username \\'nanda\\' does not exist!\"\\r\\n}"
},
"Request" => "",
"Total Time" => 8,
"API Name" => "Fetch/Remove",
"sourcehost" => "gateway",
"pid" => 14,
"Client IP" => "173.5.193.143",
"Request Method" => "GET",
"Latency" => 8,
"Response" => "",
"Error Message" => "{\\r\\n \"error\": \"invalid_request\",\\r\\n \"error_description\": \"username \\'nanda\\' does not exist!\"\\r\\n}",
"Response Status" => "404",
"Routing URL" => "https://somewhere.com/path",
"@timestamp" => 2025-01-02T12:54:17.389Z,
"processName" => "SSG",
"processId" => 653,
"time" => "13:54:17.389",
"value" => -4
}
1 Like