Need help in parsing log in grok


(Lương Thế Nghi) #1

Hi support team
I have raw logs below:
GlobalProtect gateway user authentication succeeded. Login from: 14.15.10.62, Source region: VN, Login from: 14.187.170.62, User name: dungh, Auth type: profile, Client OS version: Android 7.0.
GlobalProtect gateway client configuration generated. User name: dungh, Private IP: 172.16.253.251, Client version: 4.1.6-2, Device name: SM-G950F-ce031713cd4518710d, Client OS version: Android 7.0, VPN type: Device Level VPN.

And grok code:
%{GREEDYDATA:message_vpn}. ((Login from: )%{IP:IP_from})?(,\s)?((Source·region: )(?<Source_region>[a-zA-Z]+))?(,\s)?%{GREEDYDATA:tail}

My issue is ouput log incorrect and it isn't get "Source region". Help me!

I attacked image of output grok.

Thanks,


(Nachiket) #2

Hi,

Have you tried using the Grok debugger app included in Kibana (Dev Tools) to troubleshoot this? I used the included app and found that your Grok was not parsing in the correct format.

Also, if your logs are coming in the mentioned format, I would suggest you use something like KV to parse the data. Would you try using a config similar to this?

grok {
  match => { "message" => "%{GREEDYDATA:message_vpn}\. %{GREEDYDATA:remainder}" }
}
kv {
  target => "remainder"
  field_split => ","
  value_split => ":"
}