Need help in parsing log in grok

(Lương Thế Nghi) #1

Hi support team
I have raw logs below:
GlobalProtect gateway user authentication succeeded. Login from:, Source region: VN, Login from:, User name: dungh, Auth type: profile, Client OS version: Android 7.0.
GlobalProtect gateway client configuration generated. User name: dungh, Private IP:, Client version: 4.1.6-2, Device name: SM-G950F-ce031713cd4518710d, Client OS version: Android 7.0, VPN type: Device Level VPN.

And grok code:
%{GREEDYDATA:message_vpn}. ((Login from: )%{IP:IP_from})?(,\s)?((Source·region: )(?<Source_region>[a-zA-Z]+))?(,\s)?%{GREEDYDATA:tail}

My issue is ouput log incorrect and it isn't get "Source region". Help me!

I attacked image of output grok.


(Nachiket) #2


Have you tried using the Grok debugger app included in Kibana (Dev Tools) to troubleshoot this? I used the included app and found that your Grok was not parsing in the correct format.

Also, if your logs are coming in the mentioned format, I would suggest you use something like KV to parse the data. Would you try using a config similar to this?

grok {
  match => { "message" => "%{GREEDYDATA:message_vpn}\. %{GREEDYDATA:remainder}" }
kv {
  target => "remainder"
  field_split => ","
  value_split => ":"

(system) closed #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.