Help with this grok

roman-tasi · April 12, 2023, 9:14am

Need a grok filter that parses out the account (the peacesat) from these two types of logs

Case 1:

Apr 11 14:26:55 mail saslauthd[15405]: auth_zimbra: peacesat@uhtasi.org auth failed: authentication failed for [peacesat@whtasi.org]

Case 2:

Apr 11 14:21:03 mail saslauthd[15406]: auth_zimbra: peacesat auth failed: authentication failed for [peacesat]

Thanks

TimBosman · April 12, 2023, 9:28am

Hey,

Are you sure that you want to use grok? I think Dissect is better here. Grok uses regular expressions, while dissect looks at delimiters. This makes Dissect faster. It looks like these logs share the same delimiters ("[" & ":" & "]") . Please let me know what you think,

Tim

Topic		Replies	Views
Help with using Grok to parse these three log formats Logstash	9	489	April 30, 2023
I Can't Parse My Logs with Grok or Dissect Filter Logstash	6	604	February 3, 2019
Q. grok filter pattern Logstash	8	948	October 14, 2018
Grok Syntax Logstash	2	257	October 19, 2020
Grok + Dissect - how to work properly? Logstash	4	833	May 4, 2020

Help with this grok

Related topics