Need help in capturing a pattern

Hi Experts,
Iam using filebeat to feed my logs to Logstash.

Now, I need your help in capturing the occurences of "Sign on Code failed for user" in my logs. Kindly help me with the grok pattern code for it.

My sample log entry is as below -
JVM.128077 (437) [2020-03-31T11:56:24.569 Usercheck] c9qnpn/QLB2UyA 1610670968891559937 - (3) Sign on Code failed for user


Why use grok? You can just do a string match

if "Sign on Code failed for user" in [message] { ...
1 Like

Hello There,
Thanks for your reply.

Could you please help to fix the below issue.
I tested my grok pattern online and it looks good but when I try to test my config file using below command. I am getting error. I tried changing {} to in the match statement but no luck.

./logstash -f failedlogins.conf --config.test_and_exit

input {
  file {
    path => "/searchtech/logstash-7.6.1/bin/failelogin.log"
    start_position => "beginning"
	sincedb_path => "/dev/null"
	type => syslog

filter {
    grok {
      match => {%{WORD:process}\.%{NOTSPACE:pid}%{SPACE}(\(%{NUMBER:service_request}\))%{SPACE}\[%{TIMESTAMP_ISO8601:app_timestamp}(%{SPACE}%{DATA:tuxservice})]%{SPACE}%{NOTSPACE:SRID}%{SPACE}%{NOTSPACE:TOPInstanceID}%{SPACE}%{USER:oprid}%{SPACE}\(%{NUMBER:log_level}\)%{SPACE}%{SPACE}%{GREEDYDATA:log_message}}

output {
  elasticsearch { hosts => ["localhost:9200"] }
  stdout { codec => rubydebug }

Error -
[2020-03-31T16:28:34,635][FATAL][logstash.runner ] The given configuration is invalid. Reason: Expected one of [ \t\r\n], "#", "-", [0-9], [A-Za-z_], '"', "'", "}" at line 12, column 17 (byte 202) after filter {
** grok {**
** match => {**

You need to tell it what field to match the pattern against. The syntax should be

filter {
    grok { match => { "someField" => "somePattern" } }
1 Like

Hello There,
Appreciate your response.
The if condition above is not working. Could you please check and help?

Thank you!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.