Logstash Grok isnt working

Elk_huh · March 31, 2025, 6:37pm

I am trying to parse this but it isnt working

Raw Logs

	
<187>SCO-N9504-CS01: 2025 Mar 31 18:34:03 UTC: %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed from console - login (message repeated 1 time)

Code

filter {
grok{
match => {"message" => "<%{INT:syslog_priority}>%{WORD:hostname}-%{WORD:device_id}: %{TIMESTAMP_ISO8601:timestamp} %{WORD:timezone}: %%{DATA:syslog_message_type}-%{INT:severity}-%{WORD:log_message}: %{DATA:application}: %{GREEDYDATA:message}"
}
}
}

I get A GrokParseFailure

Badger · March 31, 2025, 8:13pm

That doesn't surprise me. Your log message has three words between the priority and the colon, but your pattern only matches two. Also, that timestamp is not ISO8601, and there is no space between the application and message fields.

Try

    grok {
        pattern_definitions => { "TIMESTAMP" => "%{YEAR} %{SYSLOGTIMESTAMP} %{WORD:timezone}" }
        match => { "message" => "<%{INT:syslog_priority}>%{WORD:hostname}-%{WORD:device_id}-%{WORD}: %{TIMESTAMP:timestamp}: %%{DATA:syslog_message_type}-%{INT:severity}-%{WORD:log_message}: %{DATA:application}:%{GREEDYDATA:message}" }
        overwrite => [ "message" ]
    }

Elk_huh · March 31, 2025, 8:21pm

Thanks! that did the trick! , silly mistakes , but i am getting duplicate fields now, why do i have a text / keyword field

Badger · March 31, 2025, 11:01pm

See this post. It's not a logstash issue.

Topic		Replies	Views
Logstash grokparsefailure - message pattern problem Logstash	3	944	February 16, 2017
Timestamp pattern not working for logstash filtering Logstash	2	235	November 2, 2022
Timestamps filter Logstash	8	488	March 18, 2020
Grok filter pattern not working Logstash	9	1217	January 10, 2020
Python log Logstash grok filter Logstash	4	3577	March 22, 2018

Logstash Grok isnt working

Related topics