Issector mapping, pattern not found error in Logstash

arunpmohan · December 16, 2021, 9:29pm

I have an log message which I split using grok and then use an if conditional to parse a field using dissect filter. But it is giving me Dissector mapping, pattern not found error.
I tried the dissect pattern with https://dissect-tester.jorgelbg.me/ website and it was working fine there. Even for the errored pattern, it was doing fine.

if 'kafka' not in [tags] {
       grok {
         tag_on_failure => ["windows_message_grok_failed"]
           match => {
             "message" => [
              "(?<[windows][event_id]>[0-9]*)#011(?<unknown_field>[a-zA-Z/s]*)011#011%{GREEDYDATA:event_text}"
             ]
           }
         add_tag => ["windows"]
       }
	   if [windows][event_id] == '4662' {
			dissect {
              id => "dissect_pattern_windows_4662"
              mapping => {
                "event_text" => "%{text->}Subject%{?ignore->}Security ID:%{[subject][security_id]->}Account Name:%{[subject][account_name]->}Account Domain:%{[subject][account_domain]->}Logon ID:%{[subject][logon_id]->}Object:%{?ignore->}Object Server:%{[object][server]->}Object Type:%{[object][object_type]->}Object Name:%{[object][object_name]->}Handle ID:%{[object][handle_id]->}Operation:%{?ignore->}Operation Type:%{[operation][operation_type]->}Accesses:%{[operation][accesses]->}Access Mask:%{[operation][access_mask]->}Properties:%{[operation][properties]->}Additional Information:%{?ignore->}Parameter 1:%{[additional_information][parameter1]->}Parameter 2:%{[additional_information][parameter2]->}#011%{residue_code->}"
              }
              add_tag => ["event_id_parsed","dissect_4662"]
            }
	   }
}

Also here is one message which i got the above warning. (this works perfectly in the above website and the pattern above)
This is the text coming under the "event_text" field which is parsed from the grok filter. And using above website and the dissect filter pattern, i was able to get it working in the website. But in logstash, it returns the " Dissector mapping, pattern not found error."

An operation was performed on an object.    Subject :   Security ID:  P-7-5-21-1593251271-26251271   Account Name:  FIDILIS$   Account Domain:  FW-TRA   Logon ID:  0x16ACD1E8D    Object:   Object Server:  DS   Object Type:  %{df232386-0fg5-00d0-a878-53312d5f5926}   Object Name:  %{233423q5-2fb3-4mac-b2ce-42295d4544423}   Handle ID:  0x0    Operation:   Operation Type:  Object Access   Accesses:  Read Property         Access Mask:  0x10   Properties:  Read Property    {233423q5-2fb3-4mac-b2ce-42295d4544423}      Additional Information:   Parameter 1:  -   Parameter 2:  #0111877943017\n

Do anyone know what is the cause of such behaviour and how to solve this?

Badger · December 16, 2021, 10:38pm

Remove all of the -> in your patterns. See this issue.

"%{text->}Subject%{...}

does not match

"An operation was performed on an object.    Subject :

It does match

"An operation was performed on an object.    SubjectSubject :

arunpmohan · December 18, 2021, 1:45am

Thank for pointing this out. Worked out to be great.
Also, I had to update the logger setting with below API for removing the WARN level logs, which clogged my logstash logs.

curl -XPUT 'localhost:9600/_node/logging?pretty' -H 'Content-Type:
  application/json' -d'
  {
      "logger.org.logstash.dissect.Dissector" : "ERROR"
  }'

system · January 15, 2022, 1:45am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.