Help with this grok

Need a grok filter that parses out the account (the peacesat) from these two types of logs

Case 1:

Apr 11 14:26:55 mail saslauthd[15405]: auth_zimbra: auth failed: authentication failed for []

Case 2:

Apr 11 14:21:03 mail saslauthd[15406]: auth_zimbra: peacesat auth failed: authentication failed for [peacesat]



Are you sure that you want to use grok? I think Dissect is better here. Grok uses regular expressions, while dissect looks at delimiters. This makes Dissect faster. It looks like these logs share the same delimiters ("[" & ":" & "]") . Please let me know what you think,


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.