Grok sssd messages, like "[sssd[krb5_child[7502]]]"

I'm testing a Grok pattern for sssd messages like this one:

2020-01-03T16:28:24.968540-05:00 ny2dev10 [sssd[krb5_child[7312]]]: Preauthentication failed

I ran Grok Debugger with the following pattern and it looks fine. (yes, I try to ignore "krb5_child").

%{TIMESTAMP_ISO8601:timestamp} %{SYSLOGHOST:hostname} [%{WORD:[process][name]}[%{WORD}[%{NUMBER:[process][pid]}]]]: %{GREEDYDATA:message}

"hostname": "dev10",
"[process][pid]": "7312",
"message": "Preauthentication failed",
"[process][name]": "sssd",
"timestamp": "2020-01-03T16:28:24.968540-05:00"

However, when I run it with Ruby debug, I got something like this:

"hostname" => "dev10",
"message" => "Preauthentication failed",
"timestamp" => "2020-01-03T17:05:22.670995-05:00",
"process" => {
"name" => "[sssd[krb5_child[7502]]]"
"fileset" => {
"name" => "syslog"

I'm moving forward with my tests with ELK, but I think I still need to read up more about grok and logstash. May be WORD is not what I think it is?


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.