Logstash filter plugin (Grok) for custom pattern Not match curly bracket!

AliMaleki21 · July 29, 2020, 12:52pm

i have problem with grok plugin, curly bracket not match on Grok filter plugin
sample log:
{Allowed/Denied} ....
regex:
ACTION_FIREWALL (Allowed|Denied)
Pattern:
{%{ACTION_FIREWALL:action_firewall}}
when try this regex and custome pattern get error not match, test regex on https://regex101.com/ every think is ok
how can i fix this problem ?
thanks for your HELP !

kelk · July 29, 2020, 2:48pm

confused by the sample log.
Can you please update regex101.com and save as an example and post the data and the regex you tried as part of the regex101.com example link. Something like : https://regex101.com/r/PBNZ5u/1

AliMaleki21 · July 29, 2020, 2:58pm

hi Kelk and thanks for reply

sample log:
[1399-05-01 14:37:52] {Allowed/Denied} connection on client

patten( SEMANTIC):
[%{FDATE:fdate}\s%{FTIME:ftime}]\s{%{ACTION_FIREWALL:action_firewall}}

syntax:
FDATE [0-9]{1,4}-[0-9]{1,2}-[0-9]{1,2}
FTIME [0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}
ACTION_FIREWALL (Allowed|Denied)

in grok debugger bracket closed ,i have error no matches

Jenni · July 29, 2020, 3:06pm

Try \[%{FDATE:fdate}\s%{FTIME:ftime}\]\s{%{ACTION_FIREWALL:action_firewall}}

AliMaleki21 · July 29, 2020, 3:07pm

hello @Jenni thanks for reply im test it not working
https://grokdebug.herokuapp.com/

AliMaleki21 · July 29, 2020, 3:09pm

@Jenni please see link
https://grokdebug.herokuapp.com/

Jenni · July 29, 2020, 3:12pm

You meant that your log lines are [1399-05-01 14:37:52] {Allowed} connection on client or [1399-05-01 14:37:52] {Denied} connection on client, didn't you? That's working fine for me.

[1399-05-01 14:37:52] {Allowed} connection on client leads to:

{
  "fdate": [
    [
      "1399-05-01"
    ]
  ],
  "ftime": [
    [
      "14:37:52"
    ]
  ],
  "action_firewall": [
    [
      "Allowed"
    ]
  ]
}

AliMaleki21 · July 29, 2020, 3:16pm

yes i mean action allowed or denied
https://grokdebug.herokuapp.com/
when i close the curly bracket for continue pars log get error no matches

kelk · July 29, 2020, 3:16pm

Please find sample data and equivalent Grok

 [1399-05-01 14:37:52] {Allowed} connection on client
 [1399-05-01 14:37:52] {Denied} connection on client

grok

\[%{TIMESTAMP_ISO8601:timestamp}\]\s*\{%{WORD:action_firewall}\}\s*%{GREEDYDATA:rest_of_msg}

Jenni · July 29, 2020, 3:20pm

Am I doing something differently?

AliMaleki21 · July 29, 2020, 3:21pm

@kelk please see this link
https://grokdebug.herokuapp.com/

AliMaleki21 · July 29, 2020, 3:22pm

worked for you ?

kelk · July 29, 2020, 3:22pm

the link you sent is just a generic link. the herokuapp doesn't give unique link like regex101 unfortunately. So we can't see what you have done.

AliMaleki21 · July 29, 2020, 3:26pm

[%{FDATE:fdate}\s%{FTIME:ftime}]\s{%{ACTION_FIREWALL:action_firewall}}
this pattern not work for me
get error no matches

Jenni · July 29, 2020, 3:29pm

But you didn't even apply the changes I had suggested (I escaped the [])

AliMaleki21 · July 29, 2020, 3:35pm

not work

Jenni · July 29, 2020, 3:37pm

So the log line does really say {Allowed/Denied} and not {Allowed} or {Denied}? That sounds strange to me, but then your custom pattern would have to say

ACTION_FIREWALL Allowed/Denied

AliMaleki21 · July 29, 2020, 3:42pm

oh sorry my bad Allowed or Denied not {Allowed/Denied}
@Jenni thanks for help its worked

system · August 26, 2020, 3:43pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.