Help With Grok Pattern - Mail Log

gerard.ramos · September 10, 2019, 11:13am

Anyone can help with this grok pattern??

  grok {
    match => [ "message", "^%{DAY:dia} %{DATESTAMP_EVENTLOG:data} %{NOTSPACE:email_addresss}"]
  }

Example of the log file:

Sat 2019-09-07 08:04:37.283: *  From: basededades@grupsa.com
Sat 2019-09-07 00:04:12.245: *  From: basededades@grupsa.com
Tue 2019-09-10 00:00:06.687: *  From: servicetonic@grupsa.com
Tue 2019-09-10 12:30:28.312: *  From: codita2@coditas.org
Mon 2019-09-09 17:00:36.659: *  From: base@grupsa.com
Mon 2019-09-09 19:31:47.123: *  From: fjmartinez@grupsa.com

The log file has other type of lines but I think that will not efect??

Badger · September 10, 2019, 1:29pm

You could use

grok { match => [ "message", "^%{DAY:dia} %{TIMESTAMP_ISO8601:data}: \*  From: %{NOTSPACE:email_addresss}"] }

However, I would use dissect for that, since it will be cheaper

dissect { mapping => { "message" => "%{} %{data} %{+data}: *  From: %{email_address}" } }

system · October 8, 2019, 1:29pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.