Need Help Groking

I am attempting to write my first grok filter but I'm not getting any logs parsed. Here is my sample log.

<30>2020:02:26-12:41:48 aua[18909]: id="3005" severity="warn" sys="System" sub="auth" 
name="Authentication failed" srcip="1.2.3.4" host="" user="admin" caller="openvpn" 
reason="DENIED"

I'm only interested in four fields. I've used the grok debugger https://grokdebug.herokuapp.com/ with the pattern below and it parses correctly.

.*name="%{DATA:event.action}".*srcip="%{IP:source.ip}".*user="%{USER:user.name}".*caller="%{WORD:event.type}"

Here is my grok filter. I thought it was something to do with the double quotes so I tried escaping them but no change. Very new to this so not sure if this is the easiest method or if there is something else I need to do to create this filter.

         grok {
      match => {"message" => ".*name=\"%{DATA:event.action}\".*srcip=\"%{IP:source.ip}\".*user=\"%{USER:user.name}\".*caller=\"%{WORD:event.type}\""}
    }

I would not use grok for that, I would use dissect to parse off everything up to the : after the pid, and then use a kv filter for the rest of the line, then maybe use prune with a whitelist to clean up the kv output.

Alternatively, set break_on_match to false, and grok out all the individual fields. Do not put .* between them, just enter each pattern like srcip="%{IP:source.ip}" into the array.

Going the kv gives me more fields than I need but it much cleaner and easier.

Thanks Badger for your help!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.