This is some sample data I have:
Aug 27 20:21:46 SERVER-150 john: USER=john PWD=/root PID=[9103] CMD="cat /etc/passwd" Exit=[0] CONNECTION=1.2.3.4
Aug 21 13:21:46 SERVER-230 root: USER=root PWD=/etc/folder PID=[9023] CMD="echo test" Exit=[0] CONNECTION=
Aug 24 14:11:46 MACHINE-ESXi-17_23 jack: USER=root PWD=/home/jack PID=[9003] CMD="not a command" Exit=[0] CONNECTION=
Aug 22 12:21:36 LOG_MACHINE-12 root: USER=root PWD=/root PID=[9203] CMD="cat /etc/passwd" Exit=[0] CONNECTION=202.54.12.15
This is the pattern I currently have:
\A%{SYSLOGTIMESTAMP:sys_timestamp} %{NOTSPACE:Hostname} %{USER:Logged}: USER=%{USER:User} PWD=%{UNIXPATH:Directory} PID=\[%{INT:PID}] CMD=%{QUOTEDSTRING:Command} Exit=\[%{INT:Exit}] CONNECTION=%{GREEDYDATA:Connection}
This is how it looks on kibana.
The problem is that the values for "Command" which I highlighted in the image above, are inbetween quotation marks. When someone runs a command with quotation marks in them like echo "test" grok fails to parse it. It's also less convenient to read through it.
Is there a way to make grok smarter and have it output the field without quotation marks while also working with "commands" with quotations in them like echo "test"? If that's a problem I can also change the sample data but I'm not sure what for. I tried a couple of things and it didn't work.
Huge thanks ahead!