Need help for writting Nested Parser

Elastic Stack Logstash
1

Hey ,
I need some help for writing Nested Parser for following log,
its has the same type , field of logs from beginning in the middle of current log.
see yourself
174>ABC Firewall: 17May2020 23:09:18 5 N/A 5 IP > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: <max_null>; default_device_message: <174>Firewall: 17May2020 23:09:15 5 N/A 16 IP > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: <max_null>; default_device_message: <174>Firewall: 17May2020 23:09:11 5 N/A 20 IP > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: <max_null>; default_device_message: <174>Firewall: 17May2020 23:09:08 5 N/A 52 IP > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: <max_null>; default_device_message: <174>Firewall: (+); facility: local use 5; syslog_severity: Informational; ProductName: Syslog; ProductFamily: Network;(+); facility: local use 5; syslog_severity: Informational; ProductName: Syslog; ProductFamily: Network;(+); facility: local use 5; syslog_severity: Informational; ProductName: Syslog; ProductFamily: Network;(+); facility: local use 5; syslog_severity: Informational; Prod

Please Help needed on urgent basis
thanks in advance

2

I would break off the initial section with dissect, then chop up the rest using a kv filter.

3

@Badger I have tried Using grok and KV filter
But in from this field
default_device_message: <174>Firewall:
on words the message starts again and the value for the field default_device_message: is
default_device_message: <174>Firewall: 17May2020 23:09:15 5 N/A 16 IP > N/A LogId: <max_null>
this is because kv is searching for ;as next field separator

and that is my main problem

ANY Suggestion would be highly appreciated .
Thank you

4

That looks right. What would you like it to be instead of that?

5

@Badger I want rest all after default_device_message: as a value so i can again parse it using grok
and further more.

6

Sorry I still do not understand what value you want the default_device_message to have. Can you copy and paste the string that you want it have as its value?

7

@Badger I want this

default_device_message: <174>Firewall: 17May2020 23:09:15 5 N/A 16 IP > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: <max_null>; default_device_message: <174>Firewall: 17May2020 23:09:11 5 N/A 20 IP > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: <max_null>; default_device_message: <174>Firewall: 17May2020 23:09:08 5 N/A 52 IP > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: <max_null>; default_device_message: <174>Firewall: (+); facility: local use 5; syslog_severity: Informational; ProductName: Syslog; ProductFamily: Network;(+); facility: local use 5; syslog_severity: Informational; ProductName: Syslog; ProductFamily: Network;(+); facility: local use 5; syslog_severity: Informational; ProductName: Syslog; ProductFamily: Network;(+); facility: local use 5; syslog_severity: Informational; Prod

default_device_message field Name
and
<174>Firewall: 17May2020 23:09:15 5 N/A 16 IP > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: <max_null>; default_device_message: <174>Firewall: 17May2020 23:09:11 5 N/A 20 IP > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: <max_null>; default_device_message: <174>Firewall: 17May2020 23:09:08 5 N/A 52 IP > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: <max_null>; default_device_message: <174>Firewall: (+); facility: local use 5; syslog_severity: Informational; ProductName: Syslog; ProductFamily: Network;(+); facility: local use 5; syslog_severity: Informational; ProductName: Syslog; ProductFamily: Network;(+); facility: local use 5; syslog_severity: Informational; ProductName: Syslog; ProductFamily: Network;(+); facility: local use 5; syslog_severity: Informational; Prod
as Value

8

OK, so use dissect or grok to parse it, do not use kv.

9

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.