Grok skipping on [ when supplied \s in a custom filter

Neeraj_Jadhav · July 25, 2018, 2:22pm

This is the log that I am trying to parse ==>

DESTINATION UNREACHABLE: PORT UNREACHABLE ** ORIGINAL DATAGRAM DUMP: 10.8.10.21:28184 -> 10.8.10.19:69 UDP TTL:64 TOS:0x0 ID:40693 IpLen:20 DgmLen:88 Len: 60 Csum: 19270 (60 more bytes of original packet) ** END OF DUMP [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-0068][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0790]

The Custom Filter that is used ==>

(?<pkt_detail>([A-za-z0-9:*()-.=>\s])+)%{GREEDYDATA:xrefs}

The requirement being, separation of Packet Details and XREFS (Starting from [Xref). However the Packet Details doesn't stop parsing there and instead this is the output from the debugger:

"pkt_detail": [
    [
      "DESTINATION UNREACHABLE: PORT UNREACHABLE ** ORIGINAL DATAGRAM DUMP: 10.8.10.21:28184 -> 10.8.10.19:69 UDP TTL:64 TOS:0x0 ID:40693 IpLen:20 DgmLen:88 Len: 60  Csum: 19270 (60 more bytes of original packet) ** END OF DUMP [Xref => http:"
    ]
  ],
  "xrefs": [
    [
      "//cve.mitre.org/cgi-bin/cvename.cgi?name=2005-0068][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0790] "
    ]
  ]

Kindly help to stop Packet Detail event after END OF DUMP.

Badger · July 25, 2018, 2:57pm

I would suggest something simpler, such as

grok { match => { "message" => "^(?<pkt_detail>[^\[]+)%{GREEDYDATA:xrefs}" } }

Neeraj_Jadhav · July 25, 2018, 3:18pm

Blacklist instead of whitelist.

system · August 22, 2018, 3:18pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.