Grokparsefailure with a pattern verified by grok debug

Mehdi_Mouslih · August 24, 2017, 2:35pm

Hello i am using logstash to collect cisco logs like the following one
2017-08-23T11:03:43.068Z 192.168.1.254 <189>79: *Mar 1 01:17:53.151: %SYS-5-CONFIG_I: Configured from console by console

this is my logstash configuration file:

input {
udp {
port => "8514"
#type => "syslog-cisco"
}

tcp {
port => "8514"
#type => "syslog-cisco"
}
}

filter {
grok {

             match => {
                        "message" => "%{TIMESTAMP_ISO8601:syslog_ng_timestamp} %{IP:original_log_host} (?<seq_no><\d*>\d*): \*(?<C_timestamp>\b\w*\b  \d* \d*:\d*:\d*.\d*): %(?<facility>\b\w*\b)-(?<severity>\d)-%{GREEDYDATA:MNEMONIC}:%{GREEDYDATA:message}"
                      }

     } #grok

}
output {
stdout{
codec => "rubydebug"
}
}

the problem despite the positive response of grokdebug i have always grokparsefailure, i tried trying one pattern at the time to see whats wrong but it didn't work:

magnusbaeck · August 24, 2017, 8:16pm

Show the output from stdout{ codec => "rubydebug" }.

Mehdi_Mouslih · August 25, 2017, 7:47am

this is the output i get :

magnusbaeck · August 25, 2017, 7:53am

And does that message match this grok expression?

%{TIMESTAMP_ISO8601:syslog_ng_timestamp} %{IP:original_log_host} (?<seq_no><\d*>\d*): \*(?<C_timestamp>\b\w*\b  \d* \d*:\d*:\d*.\d*): %(?<facility>\b\w*\b)-(?<severity>\d)-%{GREEDYDATA:MNEMONIC}:%{GREEDYDATA:message}

Mehdi_Mouslih · August 25, 2017, 8:10am

the pattern matches the syslog message but the output does not match at all the semantics .
i deleted %{TIMESTAMP_ISO8601:syslog_ng_timestamp} and the pattern worked but i have an overlap in the message field and there are some other field that took different names :
original_log_host became host
syslog_ng_timestamp became @timestamp

the following image shows the complete output with out %{TIMESTAMP_ISO8601:syslog_ng_timestamp} :

magnusbaeck · August 25, 2017, 8:44am

Show your complete configuration. Post it as text. Do not post screenshots.

but i have an overlap in the message field

See the grok filter's overwrite option.

Mehdi_Mouslih · August 25, 2017, 8:54am

this is it :

INPUT - Logstash listens on port 8514 for these logs.

input {

udp {

port => "8514"

#type => "syslog-cisco"

}

tcp {

port => "8514"

#type => "syslog-cisco"

}

filter {

grok {

	

	 match => { 

	    "message" => "%{TIMESTAMP_ISO8601:syslog_ng_timestamp} %{IP:original_log_host} (?<seq_no><\d*>\d*): \*(?<C_timestamp>\b\w*\b  \d* \d*:\d*:\d*\.\d*): %(?<facility>\b\w*\b)-(?<severity>\d)-%{GREEDYDATA:MNEMONIC}:%{GREEDYDATA:message}"

	     overwrite => [ "message" ]

		  }





 } #grok

}

output {

stdout{

	codec => "rubydebug"

}

}

magnusbaeck · August 25, 2017, 9:22am

  "message" => "%{TIMESTAMP_ISO8601:syslog_ng_timestamp} %{IP:original_log_host} (?<seq_no><\d*>\d*): \*(?<C_timestamp>\b\w*\b  \d* \d*:\d*:\d*\.\d*): %(?<facility>\b\w*\b)-(?<severity>\d)-%{GREEDYDATA:MNEMONIC}:%{GREEDYDATA:message}"

But this is the expression that is known to not match?

Mehdi_Mouslih · August 25, 2017, 9:27am

it works well on GROKDebug , did you see some mistakes in it ?

magnusbaeck · August 25, 2017, 10:02am

it works well on GROKDebug ,

That's irrelevant.

did you see some mistakes in it ?

We're talking in circles. Good luck.

Topic		Replies	Views
Logstash "_grokparsefailure" in output Logstash	6	2180	March 13, 2017
_Grokparsefailure even though pattern works in Grok Debugger Logstash	3	834	October 29, 2018
Grok parse failure after successful debug Logstash	6	6594	July 6, 2017
Grokparsefailure but passes grok debugger Logstash	3	796	July 6, 2017
Grokparsefailure after some filter in my logstash configuration Logstash	2	792	July 6, 2017

Grokparsefailure with a pattern verified by grok debug

INPUT - Logstash listens on port 8514 for these logs.

Related topics