How to parse Logline

hispeed · May 31, 2017, 12:17pm

Hi,

I have the following line which I recieve in Kibana successfully.

Connection ArchivUser: CIFS client [ArchivUser] from [192.168.0.15(IP:192.168.0.15)] accessed the shared folder [Archiv Filme].

So: "Connection" I want to add in a new field called: "Synology_Verb_Typ". "ArchivUser" is the Username and so this should be in a field called: Username or User.

I'm still new to the whole elasticsearch stack. So my question how can I now parse this log line? Can someone give an example only for the two fields, then it should be possible for me to get the whole line done.

pts0 · May 31, 2017, 12:41pm

Have a look at https://www.elastic.co/guide/en/logstash/current/plugins-filters-grok.html

hispeed · May 31, 2017, 7:05pm

I tried with the following code, but nothing usful happens:

filter {

    if [logsource] == "XXXXXXserver" {
        grok {
                 match => { "message" => "%{WORD:Synology_Verb_Typ} %{SPACE} %{USERNAME:Syno_User} %{GREEDYDATA}" }
        }

        kv  {
                value_split => ":"
                field_split => ","
        }
   }
    if [logsource] == "XXXXXX_SERVER" {

        kv  {
                value_split => ":"
                field_split => ","
        }
   }
}

Attached you can vie the output in Kibana.

pts0 · May 31, 2017, 9:44pm

I suppose problem is that you have a space and %{SPACE} in you expression, that result in failing parsing. Did you get _grokparsefailure ?

try

grok {
                 match => { "message" => "%{WORD:Synology_Verb_Typ}%{SPACE}\[%{USERNAME:Syno_User}\] %{GREEDYDATA}" }
        }

hispeed · June 7, 2017, 7:37am

Hi, i have added your line but I think i got a different problem.
Because right now I won't add my Tag. So I think it is not going thru the filter. How can i check that?

filter {

    if [logsource] == "XXXXerver" {
        grok {
                 match => { "message" => "%{WORD:Synology_Verb_Typ}%\[%{USERNAME:Syno_User}\] %{GREEDYDATA}" }
        add_tag => [ "Synology%{host}" ]
        }

        kv  {
                value_split => ":"
                field_split => ","
        }
   }
    if [logsource] == "XXXXStation" {

        kv  {
                value_split => ":"
                field_split => ","
        }
   }
}

system · July 5, 2017, 7:37am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.