Hello,
I have a problem with my filter, i get the "_grokparsefailure" tag when the concerned logs are processed.
Here is my filter file:
filter {
if [source] == "/var/log/auth.log"{
grok {
match => [ "message", "%{SYSLOGTIMESTAMP:date} %{SYSLOGHOST:host} %{DATA:program}(?:[%{POSINT:pid}])?: %{GREEDYDATA:smt}: %{GREEDYDATA:smt2} for user %{USER:user}" ]
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
date {
match => [ "date", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
I tried it with the input: "Aug 6 12:17:01 stack CRON[14336]: pam_unix(cron:session): session closed for user root" on http://grokdebug.herokuapp.com/ and it works fine.
Is there any problem with my code ?
Thank you,
Manal
Assuming you escape the square brackets
grok { match => [ "message", "%{SYSLOGTIMESTAMP:date} %{SYSLOGHOST:host} %{DATA:program}(?:\[%{POSINT:pid}\])?: %{GREEDYDATA:smt}: %{GREEDYDATA:smt2} for user %{USER:user}" ] }
that works for me
"message" => "Aug 6 12:17:01 stack CRON[14336]: pam_unix(cron:session): session closed for user root",
"program" => "CRON",
"host" => [
[0] "myHost",
[1] "stack"
],
"pid" => "14336",
"smt" => "pam_unix(cron:session)",
"smt2" => "session closed",
"user" => "root",
"date" => "Aug 6 12:17:01"A space was missing , that's why it wasn't working. I fixed it. Thank you !
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.