How to Parse logfile with columns informations

Elastic Stack Logstash
1

Dear All,

I'm trying to parse a very specific Log, this log look like this:

pid  user_name  user_authentication  client_host  client_lib_ver
===  =========  ===================  ===========  ==============

510  dmadmin    Password             0111APPT     5.3.0.622 SP6 
378  dmadmin    Password             ADTS71       7.1.0450.0357 
464  dmadmin    Password             ADTS71       7.1.0450.0357 
410  dmadmin    Trusted Client       DCTMLS20     7.3.0030.0023 
307  dmadmin    Trusted Client       DCTMLS20     7.3.0040.0025 
432  Aodren LE  Ticket               0112APPT     7.2.0000.0054 
338  Aodren LE  Ticket               0112APPT     7.2.0000.0054 
688  Aodren LE  Ticket               0112APPT     7.2.0000.0054

My question is: how can I parse in logstash with grok filter this kind of log? and is it possible?

Many thanks for your feed Back

2

Of course it's possible, but using a csv or dissect filter might be easier. Are columns always separated by two or more spaces, i.e. how do we know that "Aodren LE" is part of the same column?

3

Hello Magnus,

To begin, Thank you for your response.

I'm completly agree with you, if this log will be in csv, it could be an easier way.

Every columns are separated by two spaces, and for the column User_name, the string is include in the length of the multiple string "=" on the top of the log

If it's possible to do that with the dissect filter, how can I do that?

Thank you

4

Magnus, do you have an idea.?

5

This example from the documentation is pretty close to what you need: https://www.elastic.co/guide/en/logstash/current/plugins-filters-dissect.html#_delimiters_used_as_padding_to_visually_align_fields

6

Magnus,

it seems to be interresting!! many thanks for your feed back

7

Last question Magnus, do you hnow if Dissect Debugger similar to the grok debugger exit?

it's very helpful for debugging logstash config

8

Last question Magnus, do you hnow if Dissect Debugger similar to the grok debugger exit?

I don't believe there's anything like that.