How to parse this format of log

deepanshu_goel · July 4, 2019, 8:59am

LOG WHICH I AM TRYIING TO PARSE:-
2019-07-03 17:04:58.562 DELETE accept UDP 10.133.189.203:56897 -> 233.79.64.194:654 678.133.200.279:56131 -> 23.64.33.898:555 0 0
The grok pattern which i am trying to use:-

filter {
grok { match => { "message" => "%{WORD:abc} %{WORD:xyz} %{WORD:proto} %{IPV4:ip1}:%{INT:port1} -> %{IPV4:ip2}:%{INT:port2} %{IPV4:ip3}:%{INT:port3} -> %{IPV4:ip4}:%{INT:port4} %{INT:byte} %{INT:byte}$"}}
date { match => [ "[@metadata][ts]", "YYYY-MM-dd HH:mm:ss" ] }
}
Please,help me as I am a new in this field.

Badger · July 4, 2019, 1:45pm

IPV4 will only match against valid IP address. For example, that grok pattern will match against

2019-07-03 17:04:58.562 DELETE accept UDP 10.133.189.203:56897 -> 233.79.64.194:654 78.133.200.179:56131 -> 23.64.33.198:555 0 0

deepanshu_goel · July 7, 2019, 5:37pm

Even if i use "IP" instead of "IPV4" there is an error coming which indicates the parsing is not taking place . What could be the possible reason for that.
Now the code i am using is :-

filter {
grok { match => { "message" => "%(DATESTAMP:datestamp) %{WORD:Event} %{WORD:Xevent} %{WORD:protocol} %{IP:ip1}:%{INT:port1} -> %{IP:ip2}:%{INT:port2} %{IP:ip3}:%{INT:port3} -> %{IP:ip4}:%{INT:port4} %{INT:Inbyte} %{INT:Outbyte}$"}}
}
{I EVEN TRIED CHANGING IPV4 TO IP but it DIDN'T WORK OUT }

Badger · July 7, 2019, 6:00pm

You haven't show us what your data looks like, so we cannot help parse it.

deepanshu_goel · July 8, 2019, 5:36am

I have given a log sample in the question asked :-
LOG WHICH I AM TRYIING TO PARSE:-
2019-07-03 17:04:58.562 DELETE accept UDP 10.133.189.203:56897 -> 233.79.64.194:654 678.133.200.279:56131 -> 23.64.33.898:555 0 0

Badger · July 8, 2019, 1:33pm

That is not a valid IP address, so neither IP nor IPV4 will match it.

system · August 5, 2019, 1:33pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.