Help grok filter , unstructured data

Hello guys , i'm a beginner in this ELK, i'm facing a little problem and i would really appreciate some help from you ,so i have a WAF log file with some non structured content and i want to parse it and extract few informations and not all, and make it structred (the extracted data) and send it Elasticsearch, I heard about a function called GROK which can filter non structured data but i didn't know how to use it and make it work , i really wish if someone could give me a hand concerning this function.
i have an example log file and demonstrat what i want

this is my log file :

and the underlined is what i want to exract and send to elasticsearch.
thakns guys.

log file : --514cec3a-A--
[19/Jul/2017:17:37:26 +0100] WW@Kxn8AAQEAAGwE4wgAAAAA 55420 80
GET /a/a2/passage.php?login=admin%27+or+%271%27%3D%271%27%23&password=xzszx HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:54.0) Gecko/20100101 Firefox/54.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1


403 Forbidden


You don't have permission to access /a/a2/passage.php

Apache/2.4.7 (Ubuntu) Server at Port 80

Message: Access denied with code 403 (phase 2). Pattern match "(?i:([\s'"\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\(\\)]*?)\\b([\\d\\w]++)([\\s'\"\xc2\xb4\xe2\x80\x99\xe2\x80\x98\(\)]?)(?:(?:=|<=>|r?like|sounds\s+like|regexp)([\s'"`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\(\)]?)\2\b|(?:!=|<=|>=|<>|<|>|\^|is\s+not ..." at ARGS:login. [file "/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "77"] [id "950901"] [rev "2"] [msg "SQL Injection Attack: SQL Tautology Detected."] [data "Matched Data: '1'='1 found within ARGS:login: admin' or '1'='1'#"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.8"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
Action: Intercepted (phase 2)
Apache-Handler: application/x-httpd-php
Stopwatch: 1500482246101314 649 (- - -)
Stopwatch2: 1500482246101314 649; combined=224, p1=114, p2=100, p3=0, p4=0, p5=8, sr=12, sw=2, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.7.7 (; OWASP_CRS/2.2.8.
Server: Apache/2.4.7 (Ubuntu)
Engine-Mode: "ENABLED"


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.