Grok pattern

Hi All,

I have below log content which I am capturing from security application so I want to prepare grok pattern to simplify the log however I couldn't make grok pattern for below logs. Kindly suggest what pattern is suitable for below log.

<14>Jan 2 13:54:17.389 gateway SSG[653]: INFO com.l7tech.server.policy.assertion.ServerAuditDetailAssertion: -4: API Name = Fetch/Remove | Service URI = /addusers/nanda | Latency = 8 | Total Time = 8 | Request = | Request URL = xxxx | Client IP = xx.xx.xx.xx | Routing URL = xxxx | Request Method = GET | Response = | Response Status = 404 | Error Message = {\r\n "error": "invalid_request",\r\n "error_description": "username 'nanda' does not exist!"\r\n}

Regards,
Eshwar

I wouldn't use grok, I would use dissect and kv filters. See here for an example.

2 Likes

Ho Ho Ho Santa Claus wish you all the best in 2025. :heartbeat:

This should work.

input {
  generator {
       message => '<14>Jan 2 13:54:17.389 gateway SSG[653]:  INFO com.l7tech.server.policy.assertion.ServerAuditDetailAssertion: -4: API Name = Fetch/Remove | Service URI = /addusers/nanda | Latency = 8 | Total Time = 8 | Request = | Request URL = https://request.com/path | Client IP = 173.5.193.143 | Routing URL = https://somewhere.com/path | Request Method = GET | Response = | Response Status = 404 | Error Message = {\r\n "error": "invalid_request",\r\n "error_description": "username \'nanda\' does not exist!"\r\n}'
       count => 1
  }
}
output {
    stdout { codec => rubydebug{ metadata => true}} 
}
filter {

  dissect {
    mapping => {
    "message" => "<%{pid}>%{date} %{+date} %{time} %{sourcehost} %{processName}[%{processId}]:  %{level} %{method}: %{value}: %{[@metadata][kvmsg]}"
    }
  }

  kv { source => "[@metadata][kvmsg]"
    allow_empty_values => true
    trim_value => "[\s]"
    field_split_pattern => "\|\s"
  }

  mutate {
    convert => {
        "Total Time" => "integer"
        "pid" => "integer"
        "Latency" => "integer"
        "processId" => "integer"
        "value" => "integer" }
    add_field => { "[@metadata][timestamp]" => "%{date} %{time}" }
  }

  date {
       match => [ "[@metadata][timestamp]", "MMM dd HH:mm:ss.SSS" ]
       #target => "timestamp"
       #timezone => "Europe/Berlin"
 }

  mutate{   remove_field => [ "event", "message", "host", "@version" ] }

}

Output:

{
        "Request URL" => "https://request.com/path",
               "date" => "Jan 2",
        "Service URI" => "/addusers/nanda",
             "method" => "com.l7tech.server.policy.assertion.ServerAuditDetailAssertion",
              "level" => "INFO",
          "@metadata" => {
        "timestamp" => "Jan 2 13:54:17.389",
            "kvmsg" => "API Name = Fetch/Remove | Service URI = /addusers/nanda | Latency = 8 | Total Time = 8 | Request = | Request URL = https://request.com/path | Client IP = 173.5.193.143 | Routing URL = https://somewhere.com/path | Request Method = GET | Response = | Response Status = 404 | Error Message = {\\r\\n \"error\": \"invalid_request\",\\r\\n \"error_description\": \"username \\'nanda\\' does not exist!\"\\r\\n}"
    },
            "Request" => "",
         "Total Time" => 8,
           "API Name" => "Fetch/Remove",
         "sourcehost" => "gateway",
                "pid" => 14,
          "Client IP" => "173.5.193.143",
     "Request Method" => "GET",
            "Latency" => 8,
           "Response" => "",
      "Error Message" => "{\\r\\n \"error\": \"invalid_request\",\\r\\n \"error_description\": \"username \\'nanda\\' does not exist!\"\\r\\n}",
    "Response Status" => "404",
        "Routing URL" => "https://somewhere.com/path",
         "@timestamp" => 2025-01-02T12:54:17.389Z,
        "processName" => "SSG",
          "processId" => 653,
               "time" => "13:54:17.389",
              "value" => -4
}
1 Like