Ingest Node Pipeline doesn't allow for "\[" pattern

madduck · September 28, 2020, 3:52pm

Hi gang,

I'm trying to parse some logs into my index but I always get the GROK error: "Provided Grok expressions do not match field value"

Error Message
Provided Grok expressions do not match field value: [Sep 28 17:19:59 hostname samba: conn[ldap] c[ipv4] s[ipv4] server_id[number][number]: Auth: [LDAP,simple bind/TLS] user [(null)]\\[user_string] at [Mon, 28 Sep 2020 17:19:59.022083 CEST] with [Plaintext] status [outcome] workstation [(null)] remote host [ipv4] mapped to [domain]\\[user]. local host [ipv4]]

Actual Log
[Sep 28 17:19:59 hostname samba: conn[ldap] c[ipv4] s[ipv4] server_id[number][number]: Auth: [LDAP,simple bind/TLS] user [(null)]\\[user_string] at [Mon, 28 Sep 2020 17:19:59.022083 CEST] with [Plaintext] status [outcome] workstation [(null)] remote host [ipv4] mapped to [domain]\[user]. local host [ipv4]]

GROK Filter in Elasticsearch

{
"ignore_missing": true,
"field": "message",
"patterns": [
"%{SYSLOGTIMESTAMP:system.syslog.timestamp} %{SYSLOGHOST:host.hostname} %{WORD:process.name}: conn[%{WORD:service}] c[ipv4:%{IPV4:client.address}:%{BASE10NUM:client.port}] s[ipv4:%{IPV4:source.address}:%{BASE10NUM:source.port}] server_id[%{BASE10NUM}][%{BASE10NUM}]: %{GREEDYDATA}Auth: [LDAP,simple bind/TLS] user [(null)]\[%{GREEDYDATA:user.object}] at [%{WORD:weekday}, %{GREEDYDATA:event.timestamp} %{WORD:timezone}] with [%{WORD}] status [%{WORD:event.outcome}] workstation [(null)] remote host [ipv4:%{IPV4}:%{BASE10NUM}] %{GREEDYDATA} [%{WORD:domain}]\\[%{USERNAME:user.name}]"
],
"description": "Logon"
}

GROK Filter according to https://grokdebug.herokuapp.com

%{SYSLOGTIMESTAMP:system.syslog.timestamp} %{SYSLOGHOST:host.hostname} %{WORD:process.name}: conn[%{WORD:service}] c[ipv4:%{IPV4:client.address}:%{BASE10NUM:client.port}] s[ipv4:%{IPV4:source.address}:%{BASE10NUM:source.port}] server_id[%{BASE10NUM}][%{BASE10NUM}]: %{GREEDYDATA}Auth: [LDAP,simple bind/TLS] user [(null)]\[%{GREEDYDATA:user.object}] at [%{WORD:weekday}, %{GREEDYDATA:event.timestamp} %{WORD:timezone}] with [%{WORD}] status [%{WORD:event.outcome}] workstation [(null)] remote host [ipv4:%{IPV4}:%{BASE10NUM}] %{GREEDYDATA} [%{WORD:domain}]\[%{USERNAME:user.name}]

The problem, I think, comes from the part where it says "[domain]\\[user]"
The log goes [domain]\[user] (single backslash) however when I try to add it like that to my pipeline I get a squiggly line beneath it, marking the expression as invalid.

Adding a second backslash fixes the squiggly line and the pipeline is ready to be saved.

However, this leaves me with a Grok parser failure because for whatever reason the escape character gets interpreted too.
Did I stumble across a bug or is there another way around this?

For the record, I have tried to substitute the backslash part with a %{GREEDYDATA} tag but this led to unwanted results.

jesper247 · October 16, 2020, 9:48am

Hey

Just took a stab at the first part of your log inside the pipeline simulator within Dev Tools->Console in Kibana 7.9. I also added some real data to the IPV4 and stuff just so it could parse. The \ seems to be an escaping problem as you have to both escape the \'s and the ['s. The portion below parses and works within the pipeline simulator.

 POST _ingest/pipeline/_simulate
{
  "pipeline": {
    "description" : "Samba log grok parsing",
    "processors": [
      {
        "grok": {
          "field": "message",
          "patterns": ["%{SYSLOGTIMESTAMP:system.syslog.timestamp} %{SYSLOGHOST:host.hostname} %{WORD:process.name}: conn\\[%{WORD:service}] c\\[%{IPV4:client.address}:%{BASE10NUM:client.port}] s\\[%{IPV4:source.address}:%{BASE10NUM:source.port}] server_id\\[%{BASE10NUM:sid1}]\\[%{BASE10NUM:sid2}]: Auth: \\[%{WORD:protocol},%{DATA:binding}] user \\[%{NOTSPACE:user.part0}]\\\\\\[%{NOTSPACE:user.object}]"]
        }
      }
    ]
  },
  "docs":[
    {
      "_source": {
        "message": "[Sep 28 17:19:59 hostname samba: conn[ldap] c[120.0.0.1:9807] s[120.0.0.2:80] server_id[12][13]: Auth: [LDAP,simple bind/TLS] user [(null)]\\[user_string] at [Mon, 28 Sep 2020 17:19:59.022083 CEST] with [Plaintext] status [outcome] workstation [(null)] remote host [ipv4] mapped to [domain]\\[user]. local host [ipv4]]"
      }
    }
  ]
}

Oh, and then, I see 'source' in the s[xxxx:yyy] match part. Should the not be Server IPNumber? (like, server and client IP Numbers?)

madduck · October 19, 2020, 12:08pm

Hi Jesper,

thanks for reaching out. I fixed this issue by going back to logstash pipelines since I am more familiar with those.
I tried your solution just for the fun of it and it worked like a charm.

Correct assumption, I simply removed the actual IP Addresses from the log due to privacy/security concerns.

system · November 16, 2020, 12:08pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Ingest Pipeline for parsing multiline fields giving provided Grok expressions do not match field value error error Elasticsearch	2	293	August 6, 2023
Provided Grok expressions do not match field value Beats filebeat	1	285	August 31, 2020
Provided Grok patterns do not match field value Elasticsearch	11	2014	April 13, 2020
Grok pattern query for access logs Elasticsearch	10	1043	December 20, 2019
Filebeat error using ingest pipeline: Provided Grok expressions do not match field value Beats filebeat	4	6094	June 15, 2017

Ingest Node Pipeline doesn't allow for "\[" pattern

Related Topics