Hi all, I have the following log , as you can see , it consists of different lines and each of the lines may have different fields such system id : As you can see the titles of the fields carry ( : ) . The first line is the general heading . I need help to create the grok to parse this log.
As you can see the second log , it is different from the first , but both come in the same file
Sample:
Security alarm (SECURITY) and security audit (SECURITY) on YBOR, system id: 18432
Auditable event: System UAF record modification
Event time: 4-FEB-2016 14:21:31.39
PID: 204CD4E0
Process name: TCPIP$SS_BG3428
Username: TCPIP$SSH
Process owner: [TCPIP$AUX,TCPIP$SSH]
Image name: $4$DKA0:[SYS0.SYSCOMMON.][SYSEXE]TCPIP$SSH_SSHD2.EXE
Object class name: FILE
Object name: SYS$COMMON:[SYSEXE]SYSUAF.DAT;1
User record: PROD$GRAB
Flags: New: (none)
Original: (none)
Login failures: New: 1
Original: 0
Posix UID: -2
Posix GID: -2 (%XFFFFFFFE)
Security alarm (SECURITY) and security audit (SECURITY) on YBOR, system id: 18432
Auditable event: Network login failure
Event time: 4-FEB-2016 14:21:31.42
PID: 204CD4E0
Process name: TCPIP$SS_BG3428
Username: PROD$GRAB
Remote nodename: SSH_PASSWORD:TC0
Remote username: PROD$GRAB(LOCAL)
Status: %LOGIN-F-NOTVALID, user authorization failure
Thx Advance.