Hello, I created a grok pattern and it works well on grok debugger but when i add to filter inside the pipeline it pass the restart phase for the service but on kibana it give this tag ["_grokparsefailure"] i tried to debug it but couldn't reach any solution here is l log sample which i created the grok for:
<14> Server MTM: 8871AC1 Alert Text: Login ID: USERID from webguis at IP address 10.0.6.87 has logged off. Type of Alert: System - Remote Login Severity: 4 Date(m/d/y): 07/14/2020 Time(h:m:s): 21:57:48 Contact: it@sumerge.com Location: Cairo IMM Text ID: Lenovo System x3650 M5 IMM Serial Number: J335FWW IMM UUID: 11797DCA56B611E79CC00894EF47086E Event ID: 4000009d00000000 Serviceable Event Indicator: Not Serviceable FRU list: Not available Room ID: Not available Rack ID: Not available Lowest U-position: 0 Blade Bay: Not available Test Alert: no Auxiliary Data: Not available Common Event ID: Not available Event Type: 0 Report Chain: Not available
and here is the grok pattern that works well on grok debugger:
%{SYSLOG5424PRI}%{SPACE}Server MTM:%{DATA:server_mtm} Alert Text: %{DATA:message} Type of Alert: %{DATA:alert_type} Severity: %{DATA:severity} Date\(m\/d\/y\): %{DATE:date} Time\(h\:m\:s\): %{DATA:time} Contact: %{DATA:contact} Location: %{DATA:location} IMM Text ID: %{DATA:text_id} Serial Number: %{DATA:serial_number} IMM UUID: %{DATA:imm_uuid} Event ID: %{DATA:event_id}%{SPACE} %{GREEDYDATA:data}
and here is my pipeline itself:
input {
udp {
port => 5516
type => syslog
}
}
filter {
grok {
match => {
"message" => [ "%{SYSLOG5424PRI}%{SPACE}Server MTM:%{DATA:server_mtm} Alert Text: %{DATA:message} Type of Alert: %{DATA:alert_type} Severity: %{DATA:severity} Date\(m\/d\/y\): %{DATE:date} Time\(h\:m\:s\): %{DATA:time} Contact: %{DATA:contact} Location: %{DATA:location} IMM Text ID: %{DATA:text_id} Serial Number: %{DATA:serial_number} IMM UUID: %{DATA:imm_uuid} Event ID: %{DATA:event_id}%{SPACE} %{GREEDYDATA:data}" ]
}
overwrite => [ "message" ]
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
remove_field => [ "syslog5424_pri", "data" ]
}
}
output {
elasticsearch {
hosts => ["http://10.0.200.120:9200"]
index => "lenovo-x3650-%{+YYYY.MM.dd}"
}
}
here is a screenshot from kibana showing the log itself and the error that appears:
if anyone could help me i'd be greatful
Thank you