JSON Parsing Of Filtered Syslog JSON Objects Fails

Elastic Stack Logstash
1

I am using the following config and seeing no output. Non-JSON object containing Syslog entries, as well as JSON object containing Syslog entries, are both being dropped. If I comment out the JSON parse then the JSON object successfully appears in the Grok'd syslog_message field without any issue.

What I was trying to achieve was to detect early on whether a Syslog entry actually contains a JSON object, then only attempting to JSON parse it if it indeed appears to contain an object. I wasn't trying to get super crazy with my RegEx though, as either it should contain a JSON-looking object, or not.

Any ideas what I seem to be failing to account for here?

filter {

    if [type] == "samba" {

        grok {
            match => { "message" => "%{SYSLOGBASE}\s*%{GREEDYDATA:syslog_message}" }
        }

	if [syslog_message] =~ /{.*}/ {

		json {
			source => "syslog_message"
		}

		grok {
			match => {
				"[Authorization][localAddress]" => "%{GREEDYDATA}:%{IP:[destination][ip]}:%{INT:[destination][port]}"
			}
		}

		grok {
			match => {
				"[Authorization][remoteAddress]" => "%{GREEDYDATA}:%{IP:[source][ip]}:%{INT:[source][port]}"
		    }
		}

		mutate {
		    rename => [ "[Authorization][account]", "[user][name]" ]
		}

	} else {
            drop { }
        }


    }

}
2

I changed it up a bit to the following, but still got a similar result, with no JSON messages being parsed, and non-JSON messages having a parsing error.

filter {

    if [type] == "samba" {

        grok {
            match => { "message" => "%{SYSLOGBASE}\s+%{JSON:json_message}" }
            pattern_definitions => { "JSON" => "{.*}" }
        }

        json {
                source => "json_message"
        }

}
3

:man_facepalming:

Rookie mistake.

It was parsing it, it just wasn't shipping it to my output, as my output had a conditional that was not met when the JSON parser redefined the field name I had been filtering on, to no longer match the conditional.

But for any folks who come after me, if you need to parse out JSON from a syslog entry then I can happily tell you that my Grok syntax in the post above works beautifully. :+1:

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.