Hi, I was trying to grok a email log message to take the email address and make a field of it. I google it and i don't find the patterns to do it. Any help please??
Message examples:
**** ALERT **** Failed IMAP authentication attempt from 218.64.57.12 for "test1@test.com" [EvSecurity]
**** ALERT **** Failed SMTP authentication attempt from 192.168.129.14 for "test2@test.com" [EvSecurity]
Hi!
Didn't test it, but you should be able to use this as a starting point:
grok {
match => [
"message", "^%{DATA:alertmessage} from %{IP:ipaddress} for \"%{NOTSPACE:email_address}\" \[EvSecurity\]$"
]
}Thank you very much, it works perfect!
grok patterns are not anchored by default, so you could just use
grok { match => [ "message", "%{EMAILADDRESS:email_address}" ] }
to grab the email address.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.