Grok regex to filter custom data


I am trying to define a grok to parse the following line: (It's from an Alcatel Lucent 7210SAS device)

Jun 21 12:10:49 TMNX: 7655 Base SYSTEM-WARNING-ssiSyncConfigOK-2012 [Syncronization of Config files]: Configuration files have been successfully syncronized


Jun 21 12:10:49 TMNX: 7655 Base USER-MINOR-cli_user_logout-2002 [admin]: User from logged out

On the above lines, SYSTEM-WARNING and USER-MINOR will be always 2 words delimited by hyphen, cli_user_logout or ssiSyncConfigOK must be taken as a whole word, and 2012 or 2002 as integer or string.

[admin] or [syncronization of config files] must be taken also as a whole string which is the action let's say.

I compiled this in grok debugger for the second line but in logstash doesn't work:

(?^(.?-.?))-(?(.*)) (?[([^[]]+)]): %{GREEDYDATA:message_log}

Which in grokdebugger correctly outputs "USER-MINOR", "2002" and "cli_user_logout-2002" plus the rest of the message.

I figured out the part with the date, IP and static word plus the sequence of log file "7655" which is always different but i am stuck on the next message

I would like a line which can match all of the above in both cases let's say a generic one will look like:

Jun 21 12:10:49 TMNX: 7655 Base SEVERITY-TYPE-event-eventid [action]: User from logged out

SEVERITY-TYPE is always upper case and 2 word with hyphen in the middle sentence
event is always a whole world regardless if it has any punctuation or not inside.

[action] is always between square brackets and data must be filtered without the brackets, only the value

I've had a hard time making it work in grokdebugger site, but wasn't able to do a generic one, just for the values with "_" in event. The above grok outputs this:

"severity": [
"id": [
"user": [
"message_log": [
"User from logged out"

but this doesn't work in logstash...

Appreciate any help


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.