Need help with grok and zabbix

Franz · October 10, 2018, 8:18am

Hello there, im trying to send some logs to zabbix with grok filter, i'm rly trying to understand what im doing but no luck at the moment

This is the log im trying to filter:

2898880;2018-03-30;13:00:10;1;[001]: Przyznanie dostępu;2052;;Krakow K21;;;;Name Surname;805;PR612v1.18.08.1966/0805/4919_T1;1;XXX-XXX - Employees;2;Employees;0;32;BRAK;1;2;0;;;;32;{C8D2B48C-B623-4093-A1AA-2814085F97FC};2;Brak;1;Słuzb.;Name;Surname;3C0069ECA9;2,57705E+11;PR612v1.18.08.1966/0805/4919_T1

And this is the filter I have made:

  grok {
      match => { "message" => "%{NUMBER:Unikalny_kod_zdarzenia_UID};%{DATE:Data};%{TIME:Godzina};.*?;%{DATA:Nazwa_zdarzenia};%{NUMBER:ID_uzytkownika};.*?;.*?;.*?;.*?;.*?;%{DATA:Nazwa_uzytkownika};.*?;%{DATA:Nazwa_punktu_identyfikacji};.*?;%{DATA:Nazwa_strefy};.*?;%{DATA:Nazwa_grupy};%{NUMBER:Typ_zdarzenia};.*?;%{DATA:Tryb_RCP_nazwa};.*?;.*?;.*?;.*?;.*?;.*?;.*?;.*?;.*?;.*?;.*?;.*?;.*?;.*?;%{DATA:Kod_karty_HEX};%{DATA:Kod_karty_DEC};%{DATA:Nazwa_czytnika}" }
        named_captures_only => true
    }

    mutate {
        add_field => { "zhost" => "AAA" }
        add_field => { "zkey" => "roger_message" }
        remove_field => ["message"]
    } }

And some custom patterns for Date and Time but i dont think you would need them, just in case

DATE %{YEAR}-%{MONTHNUM}-%{MONTHDAY}
TIME %{HOUR}:%{MINUTE}:%{SECOND}

Oh, and the remove_field => ["message"] is optional, just for kibana, as it doesnt work for zabbix as its stopping logstash sending anything to zabbix -_-'

It filters rly good for Kibana, does what need to be done. It names fields and kibana shows it all right. But there are several problems while sending filtered log to zabbix that im trying to solve:

While there is a log with "{something}" it doesn't seem to go through grok and sends just a plain log to zabbix, just plain message. If there is no {} in log data it works altho it doesn't send it like "Field Name1: log value1;Field Name2: log value2........" but just "log value1;logvalue2;;;;;;;log value3;...."
I have tried to use zabbix plugin's multi_value but unfortunately it send every field value as separate message [as i was trying to send few values for the same key] so instead of getting "field value1;field value2;field value3..." im getting "field value1" "field value2" "field value3" etc.

I have tried to escape those {} with \ and \ and no luck with that too.

I would rly appreciate some help with that And sorry that there are polish field names but im just trying so its a work in progress....

system · November 7, 2018, 8:18am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.