I'm testing a Grok pattern for sssd messages like this one:
2020-01-03T16:28:24.968540-05:00 ny2dev10 [sssd[krb5_child[7312]]]: Preauthentication failed
I ran Grok Debugger with the following pattern and it looks fine. (yes, I try to ignore "krb5_child").
%{TIMESTAMP_ISO8601:timestamp} %{SYSLOGHOST:hostname} [%{WORD:[process][name]}[%{WORD}[%{NUMBER:[process][pid]}]]]: %{GREEDYDATA:message}
{
"hostname": "dev10",
"[process][pid]": "7312",
"message": "Preauthentication failed",
"[process][name]": "sssd",
"timestamp": "2020-01-03T16:28:24.968540-05:00"
}
However, when I run it with Ruby debug, I got something like this:
{
"hostname" => "dev10",
"message" => "Preauthentication failed",
"timestamp" => "2020-01-03T17:05:22.670995-05:00",
"process" => {
"name" => "[sssd[krb5_child[7502]]]"
},
"fileset" => {
"name" => "syslog"
},
I'm moving forward with my tests with ELK, but I think I still need to read up more about grok and logstash. May be WORD is not what I think it is?
Thanks
W