Need a grok filter that parses out the account (the peacesat) from these two types of logs
Case 1:
Apr 11 14:26:55 mail saslauthd[15405]: auth_zimbra: peacesat@uhtasi.org auth failed: authentication failed for [peacesat@whtasi.org]
Case 2:
Apr 11 14:21:03 mail saslauthd[15406]: auth_zimbra: peacesat auth failed: authentication failed for [peacesat]
Thanks
Hey,
Are you sure that you want to use grok? I think Dissect is better here. Grok uses regular expressions, while dissect looks at delimiters. This makes Dissect faster. It looks like these logs share the same delimiters ("[" & ":" & "]") . Please let me know what you think,
Tim
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.