How do I grok this Cisco log?

ramindia · September 19, 2018, 3:13am

Hi

Thank you for the earlier help, iam progressing in good way.

Iam going here is more granular logging and get more information for statistic purpose, at the same time i would like retain some message as it is for user to view.

Now i have 2 queries

Log messages :

Sep 19 03:53:51 DHCP-CA-DNS %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state to up

Grok Pattern :

%{SYSLOGTIMESTAMP:syslog_timestamp} %{HOSTNAME:device_src} %{GREEDYDATA:syslog_message}

Output :

{
** "syslog_timestamp": "Sep 19 03:53:51",**
** "syslog_message": "%LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state to up",**
** "device_src": "DHCP-CA-DNS"**
}

all good so far.

When i go granular i am breaking my syslog_message. breaks in to different data as expected, that is good.

Log :

Sep 19 03:53:51 DHCP-CA-DNS %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state to up

Grok :
%{SYSLOGTIMESTAMP:syslog_timestamp} %{HOSTNAME:device_src} %%{CISCO_REASON:facility}-%{INT:severity_level}-%{CISCO_REASON:facility_mnemonic}: %{GREEDYDATA:syslog_message}

Output :
{
** "syslog_timestamp": "Sep 19 03:53:51",**
** "severity_level": "5",**
** "syslog_message": "Line protocol on Interface Ethernet0/0, changed state to up",**
** "facility": "LINEPROTO",**
** "facility_mnemonic": "UPDOWN",**
** "device_src": "DHCP-CA-DNS"**
}

but iam looking as below :

{
"syslog_timestamp": "Sep 19 03:53:51",
"severity_level": "5",
"syslog_message1": "Line protocol on Interface Ethernet0/0, changed state to up",
"facility": "LINEPROTO",
"facility_mnemonic": "UPDOWN",
"device_src": "DHCP-CA-DNS"
"syslog_message" : %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state to up"
}

How can i achieve this ?

appreciate your help.

ramindia · September 21, 2018, 9:21pm

any help here...

guyboertje · September 25, 2018, 1:37pm

Do you have 2 grok filters? I ask because I don't know where/why you get syslog_message and a syslog_message1 fields.

Use one grok filter and try anchoring the grok pattern to the start-of-string.

^%{SYSLOGTIMESTAMP:syslog_timestamp} %{HOSTNAME:device_src} %%{CISCO_REASON:facility}-%{INT:severity_level}-%{CISCO_REASON:facility_mnemonic}: %{GREEDYDATA:syslog_message}

ramindia · September 25, 2018, 9:24pm

Thank for the reply, no i have only 1 grok filter, the output iam looking what i want to achieve,

can you give example how i can "Use one grok filter and try anchoring the grok pattern to the start-of-string."

guyboertje · September 26, 2018, 8:35am

In return for the example please edit the title of this discussion to make it easier for other to find the example below. "How do I grok this Cisco <device name here> log?"

Config example:

input {
  generator {
    message => 'Sep 19 03:53:51 DHCP-CA-DNS %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state to up'
    count => 1
  }
}

filter {
  grok {
    match => {
      "message" => [
        '^%{SYSLOGTIMESTAMP:syslog_timestamp} %{HOSTNAME:device_src} %%{CISCO_REASON:facility}-%{INT:severity_level}-%{CISCO_REASON:facility_mnemonic}: %{GREEDYDATA:syslog_message}'
      ]
    }
  }
}

output {
  stdout { codec => rubydebug }
}

Result:

{
             "facility" => "LINEPROTO",
                 "host" => "Elastics-MacBook-Pro.local",
     "syslog_timestamp" => "Sep 19 03:53:51",
             "@version" => "1",
           "@timestamp" => 2018-09-26T08:31:21.756Z,
           "device_src" => "DHCP-CA-DNS",
             "sequence" => 0,
       "syslog_message" => "Line protocol on Interface Ethernet0/0, changed state to up",
              "message" => "Sep 19 03:53:51 DHCP-CA-DNS %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state to up",
       "severity_level" => "5",
    "facility_mnemonic" => "UPDOWN"
}

ramindia · September 26, 2018, 9:10pm

Thank you let me try and get back to you.

may be i gave some information wrong, in the grok, i have 3 or 4 match patterns, is this still works ?

guyboertje · September 27, 2018, 10:25am

Yes, multiple patterns are OK, have a look at the break_on_match setting in the docs.

ramindia · September 27, 2018, 9:50pm

break_on_match setting - if i understand correctly, once it matches then it will not proceed to next match and send the output to ES.

correct me if iam wrong please.

guyboertje · September 28, 2018, 1:09pm

Correct

system · October 26, 2018, 1:09pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
_grokparsefailure even though the right patterns are there Logstash	5	648	August 17, 2017
Grokparsefailure with a pattern verified by grok debug Logstash	10	2814	September 22, 2017
Need help - Cisco syslog events matching in GROK debugger but not showing up in Logstash	8	618	August 29, 2021
The unusual syslog from cisco Logstash	10	793	November 16, 2017
Cisco UCS message match Logstash	1	513	June 2, 2017

How do I grok this Cisco log?

Related topics