Logstash filter plugin (Grok) for custom pattern Not match curly bracket!

i have problem with grok plugin, curly bracket not match on Grok filter plugin
sample log:
{Allowed/Denied} ....
regex:
ACTION_FIREWALL (Allowed|Denied)
Pattern:
{%{ACTION_FIREWALL:action_firewall}}
when try this regex and custome pattern get error not match, test regex on https://regex101.com/ every think is ok
how can i fix this problem ?
thanks for your HELP !

confused by the sample log.
Can you please update regex101.com and save as an example and post the data and the regex you tried as part of the regex101.com example link. Something like : https://regex101.com/r/PBNZ5u/1

hi Kelk and thanks for reply

sample log:
[1399-05-01 14:37:52] {Allowed/Denied} connection on client

patten( SEMANTIC):
[%{FDATE:fdate}\s%{FTIME:ftime}]\s{%{ACTION_FIREWALL:action_firewall}}

syntax:
FDATE [0-9]{1,4}-[0-9]{1,2}-[0-9]{1,2}
FTIME [0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}
ACTION_FIREWALL (Allowed|Denied)

in grok debugger bracket closed ,i have error no matches

Try \[%{FDATE:fdate}\s%{FTIME:ftime}\]\s{%{ACTION_FIREWALL:action_firewall}}

hello @Jenni thanks for reply im test it not working
https://grokdebug.herokuapp.com/

@Jenni please see link
https://grokdebug.herokuapp.com/

You meant that your log lines are [1399-05-01 14:37:52] {Allowed} connection on client or [1399-05-01 14:37:52] {Denied} connection on client, didn't you? That's working fine for me.

[1399-05-01 14:37:52] {Allowed} connection on client leads to:

{
  "fdate": [
    [
      "1399-05-01"
    ]
  ],
  "ftime": [
    [
      "14:37:52"
    ]
  ],
  "action_firewall": [
    [
      "Allowed"
    ]
  ]
}

yes i mean action allowed or denied
https://grokdebug.herokuapp.com/
when i close the curly bracket for continue pars log get error no matches

Please find sample data and equivalent Grok

 [1399-05-01 14:37:52] {Allowed} connection on client
 [1399-05-01 14:37:52] {Denied} connection on client

grok

\[%{TIMESTAMP_ISO8601:timestamp}\]\s*\{%{WORD:action_firewall}\}\s*%{GREEDYDATA:rest_of_msg}


Am I doing something differently?

1 Like

@kelk please see this link
https://grokdebug.herokuapp.com/

worked for you ? :open_mouth:

the link you sent is just a generic link. the herokuapp doesn't give unique link like regex101 unfortunately. So we can't see what you have done.

[%{FDATE:fdate}\s%{FTIME:ftime}]\s{%{ACTION_FIREWALL:action_firewall}}
this pattern not work for me
get error no matches :frowning:

But you didn't even apply the changes I had suggested (I escaped the [])

1 Like

not work

So the log line does really say {Allowed/Denied} and not {Allowed} or {Denied}? That sounds strange to me, but then your custom pattern would have to say

ACTION_FIREWALL Allowed/Denied

oh sorry my bad Allowed or Denied not {Allowed/Denied}
@Jenni thanks for help its worked

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.