How do i match in grok

mancharagopan · July 11, 2019, 11:37am

I want to match ASA syslog message for message id, severity and add it to separate fields. How do i match it in grok?

<166>Jul 11 2019 16:46:45: %ASA-6-113012: AAA user authentication Successful : local database : user = user1

I want to match the portions in %ASA-6-113012 separately.

ylasri · July 11, 2019, 11:53am

You can try this sample

<%{INT:recordId}>%{DATA:dateTime}: \%%{DATA:asaEventId}: %{GREEDYDATA:messageText1} : %{GREEDYDATA:messageText2} : %{GREEDYDATA:messageText3}

Result is here from the provided log line sample

ylasri · July 11, 2019, 12:00pm

This one for extracting portions from the required field

<%{INT:recordId}>%{DATA:dateTime}: \%%{DATA:asaEventId_portion1}-%{INT:asaEventId_portion2}-%{INT:asaEventId_portion3}: %{GREEDYDATA:messageText1} : %{GREEDYDATA:messageText2} : %{GREEDYDATA:messageText3}

Example debugging result

mancharagopan · July 11, 2019, 12:02pm

Thank you.

mancharagopan · July 11, 2019, 12:34pm

I have another question if i may ask,
I used Filebeat to parse ASA syslog message but i got an error,
ERROR [syslog] syslog/input.go:132 can't parse event as syslog rfc3164 {"message": "<165>:Jul 10 07:10:12 IST: %ASA-config-5-111010: User 'XXXXX', running 'N/A' from IP 172.x.x.x, executed 'write memory'\n"}

How do i fix this?

system · August 8, 2019, 12:34pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.