Need help in capturing a pattern

manikandanb87 · March 31, 2020, 12:10pm

Hi Experts,
Iam using filebeat to feed my logs to Logstash.

Now, I need your help in capturing the occurences of "Sign on Code failed for user" in my logs. Kindly help me with the grok pattern code for it.

My sample log entry is as below -
JVM.128077 (437) [2020-03-31T11:56:24.569 Usercheck] c9qnpn/QLB2UyA 1610670968891559937 - (3) Sign on Code failed for user USERA@xxx.xxx.xxx.xx

Thanks!

Badger · March 31, 2020, 3:20pm

Why use grok? You can just do a string match

if "Sign on Code failed for user" in [message] { ...

manikandanb87 · March 31, 2020, 4:33pm

Hello There,
Thanks for your reply.

Could you please help to fix the below issue.
I tested my grok pattern online and it looks good but when I try to test my config file using below command. I am getting error. I tried changing {} to in the match statement but no luck.

./logstash -f failedlogins.conf --config.test_and_exit

input {
  file {
    path => "/searchtech/logstash-7.6.1/bin/failelogin.log"
    start_position => "beginning"
	sincedb_path => "/dev/null"
	type => syslog
    }
}

filter {
    grok {
      match => {%{WORD:process}\.%{NOTSPACE:pid}%{SPACE}(\(%{NUMBER:service_request}\))%{SPACE}\[%{TIMESTAMP_ISO8601:app_timestamp}(%{SPACE}%{DATA:tuxservice})]%{SPACE}%{NOTSPACE:SRID}%{SPACE}%{NOTSPACE:TOPInstanceID}%{SPACE}%{USER:oprid}%{SPACE}\(%{NUMBER:log_level}\)%{SPACE}%{SPACE}%{GREEDYDATA:log_message}}
}
}

output {
  elasticsearch { hosts => ["localhost:9200"] }
  stdout { codec => rubydebug }
}

Error -
[2020-03-31T16:28:34,635][FATAL][logstash.runner ] The given configuration is invalid. Reason: Expected one of [ \t\r\n], "#", "-", [0-9], [A-Za-z_], '"', "'", "}" at line 12, column 17 (byte 202) after filter {
** grok {**
** match => {**

Badger · March 31, 2020, 6:33pm

You need to tell it what field to match the pattern against. The syntax should be

filter {
    grok { match => { "someField" => "somePattern" } }
}

manikandanb87 · April 1, 2020, 12:41pm

Hello There,
Appreciate your response.
The if condition above is not working. Could you please check and help?

Thank you!

system · April 29, 2020, 12:41pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Capture Message Logstash	3	291	May 6, 2020
Write a RegEx to match the event pattern in log file Logstash	2	348	June 20, 2023
Logstash Grok pattern not working Logstash	5	2100	June 17, 2019
Custom Pattern is not working in Logstash Logstash	3	365	March 26, 2018
Filter username or email address within space delimited string Logstash	4	308	March 9, 2021

Need help in capturing a pattern

Related topics