_grokparsefailure but grok debugger looks good

Hello everyone,

I need some help with my grok pattern, because Logstash is not able to parse it. Kibana and other grok debuggers are able to parse the logs.

Sample Log:

Mar 10 00:59:50\t1.1.1.1\ttest@static\t0/0/0/0000\tunknown\tstart\ttask_id=67511\ttimezone=met\tservice=ppp

Grok Pattern

%{MONTH:month}\s*%{MONTHDAY:day}\s*%{TIME:time}\\t%{IPV4:IGP}\\t%{PPPOEUSER:pppoeuser}\\t%{INTERFACE:Interface}\\t%{GREEDYDATA:tac_message}

Custom Patterns:

PPPOE [.a-zA-Z0-9_-]+
STATIC [.a-zA-Z0-9_-]+
PPPOEUSER %{PPPOE}@%{STATIC}
INTERFACE [\d/\d/\d/\d]+

Config:

input {
        beats {
                port => 5050
                ssl => false
        }
}

filter {
        grok {
            patterns_dir => ["/usr/share/logstash/patterns"]
            match => { "message" => "%{MONTH:month}\s*%{MONTHDAY:day}\s*%{TIME:time}\\t%{IPV4:IGP}\\t%{PPPOEUSER:pppoeuser}\\t%{INTERFACE:Interface}\\t%{GREEDYDATA:tac_message}" }
        }
}

output {
        elasticsearch {
          hosts => [ localhost:9200" ]
          index => "index-%{+YYYY.MM.dd}"
        }
        # debug
        stdout { codec => rubydebug }
}

Thank you!

Hi,

Can you show us the result of

Cad.

Hi,

of course

{
         "input" => {
        "type" => "log"
    },
      "@version" => "1",
    "@timestamp" => 2021-07-21T12:27:08.769Z,
           "log" => {
          "file" => {
            "path" => "/var/log/log.log"
        },
        "offset" => 10403402
    },
           "ecs" => {
        "version" => "1.8.0"
    },
         "agent" => {
                  "id" => "ddc8951e-5c80-4613-a670-91f0f60b50d9",
             "version" => "7.13.4",
        "ephemeral_id" => "9e1a57c6-62db-4bb5-a2a8-579a3fc75044",
                "name" => "system02",
                "type" => "filebeat",
            "hostname" => "system02"
    },
       "message" => "Mar 10 00:59:50\t1.1.1.1\ttest@static\t0/0/0/0000\tunknown\tstart\ttask_id=67511\ttimezone=met\tservice=ppp",
          "tags" => [
        [0] "beats_input_codec_plain_applied",
        [1] "_grokparsefailure"
    ],
          "host" => {
                   "id" => "90b06be9d8564ff694298df08bc29f26",
                  "mac" => [
            [0] "00:00:00:00:00:00"
        ],
             "hostname" => "system02",
        "containerized" => false,
                 "name" => "system02",
         "architecture" => "x86_64",
                   "ip" => [
            [0] "1.1.1.2",
        ],
                   "os" => {
            "codename" => "Core",
             "version" => "8 (Core)",
                "name" => "CentOS Linux",
              "kernel" => "4.18.0-193.14.2.el8_2.x86_64",
                "type" => "linux",
              "family" => "redhat",
            "platform" => "centos"
        }
    }

Best regards

I don't see any error in the grok configuration.

Are you sure the conf file you give to us is the file you are running in logstash ?
Because this line have to give you an error.

This is the correct line.

          hosts => [ "master1:9200", "master2:9200" ]

Overall the configuration should be ok, because logstash does not fail when it starts and I can see the logs in Kibana.

Maybe it's because of INTERFACE
\d is for found digit, so INTERFACE search multiple group of 4 digit seperated by slash.

In your case, INTERFACE have to take 3digit and un number all seperated by a slash.

So INTERFACE need to be declared like this
INTERFACE \d/\d/\d/[\d]+

I tried the pattern but it did not work. Still grokparsefailure

So, i think, the better way to find who's giving an error is to start with DATA patterns
%{DATA:date}\\t%{DATA:IGP}\\t%{DATA:pppoeuser}\\t%{DATA:Interface}\\t%{GREEDYDATA:tac_message}
And adding one by one the patterns you want until logstash show one error.

I made a mistake in my last post, about your first pattern of INTERFACE. I tell,

It's false, your pattern literaly tell "i search a digit or a slahs or a digit or a slahs..." 4 times. I still think the pattern i recommand you fit more your data.

Logstash is already showing _grokparsefailure when using only DATA pattern for date.
Just going by following pattern will not give an error. So the date format has to be the problem.

%{GREEDYDATA:tac_message}

I already recognized that there are two spaces between month and day. That's why I used

 %{MONTH:month}\s*%{MONTHDAY:day}

A pattern already exist for this date format it is the SYSLOGTIMESTAMP.

Still _grokparsefailure. I added SYSLOGTIMESTAMP %{MONTH} +%{MONTHDAY} %{TIME} to my patterns file and edited my grok filter.

match => { "message" => "%{SYSLOGTIMESTAMP:tac_timestamp}\\t%{GREEDYDATA:tac_message}" }

Have you tried to use another format for the tab ?
Like \\[t] or [\\][t]

Yes I already tried that but still grokparsefailure.

I try to parse your line with my own logstash and it work well.

I try this two grok configuration :

Each time, i got the good result without any grokparsefailure tag.

What do you do after editing the grok pattern to reload logstash ?

My logstash runs inside a docker container and I mount the pattern via docker-compose. Everytime I edited the conf or pattern I removed the container and created a new one. Than I checked the files inside the container if they are correct. Can you tell me what permissions the pattern file needs? Maybe the user inside the container is not allowed the read the file?

Maybe it helps when I create a new conf file and a new pattern file..

So I installed a new Logstash instance without Elasticsearch and Kibana in a different vm and everything works fine with the sample log from above and follwoing configuration:

Config:

input { stdin { } }
filter {
  grok {
    patterns_dir => ["/usr/share/logstash/patterns"]
    match => { "message" => "%{SYSLOGTIMESTAMP:tac_timestamp}\\t%{IPV4:IGP}\\t%{PPPOEUSER:pppoeuser}\\t%{INTERFACE:Interface}\\t%{GREEDYDATA:tac_message}" }
    }
}
output {
  stdout { codec => rubydebug }
}

Custom Pattern:

PPPOE [.a-zA-Z0-9_-]+
STATIC [.a-zA-Z0-9_-]+
PPPOEUSER %{PPPOE}@%{STATIC}
INTERFACE \d/\d/\d/[\d]+

Logstash output

{
        "Interface" => "0/0/0/0000",
    "tac_timestamp" => "Mar 10 00:59:50",
      "tac_message" => "unknown\\tstart\\ttask_id=67511\\ttimezone=met\\tservice=ppp",
       "@timestamp" => 2021-07-22T12:07:03.640Z,
              "IGP" => "1.1.1.1",
         "@version" => "1",
        "pppoeuser" => "test@static",
             "host" => "ubuntu",
          "message" => "\"Mar 10 00:59:50\\t1.1.1.1\\ttest@static\\t0/0/0/0000\\tunknown\\tstart\\ttask_id=67511\\ttimezone=met\\tservice=ppp"
}

I think, if it is a problem of permission, an error will be write in logsatsh log file.
You have to give permission to user or group logstash to access the file.
chmod -R logstash /path/to/patterns

If you can't change access to files, grok have an option named pattern_definitions (example here).

I found my problem.. i was just looking at message field from Logstash output and I was trying to parse the message. But the acutal log which is getting shipped by Filebeat has a different format..

Jul 22 14:44:33 1.1.1.1    test@static  0/0/0/0000      unknown stop    task_id=93491   timezone=mest   service=ppp

sorry.. my bad