Need logstash grok help

subin · December 27, 2017, 6:25am

Hi,

My pattern works well in grok-debugger, but fails in Logstash's pipeline. I've been trying for hours; no luck. Here are the logs that I'm trying to parse:

Nov 10 20:06:05 mx1 postfix/qmgr[4016]: D134620D03: from=<info@domain.com>, size=6638, nrcpt=1 (queue active)
Nov 10 20:05:49 mx2 postfix/qmgr[4016]: 64FBB20D03: from=<>, size=5733, nrcpt=1 (queue active)
Nov 10 20:06:05 mx1 postfix/qmgr[4016]: 38A6B2090E: removed

EIther of the filters work for all three log-patterns, in grok-debugger:

POST_QMGR %{SYSLOGBASE} %{QUEUEID:qid}: (?:removed|from=<(?:%{FROM_EMAIL:from})?>(?:, size=%{NUMBER:size}, nrcpt=%{NUMBER:nrcpt} \(%{DATA:queuestatus}\))?)

POST_QMGR %{SYSLOGBASE} %{QUEUEID:qid}: (removed|from=<(%{FROM_EMAIL:from})?>(, size=%{NUMBER:size}, nrcpt=%{NUMBER:nrcpt} \(%{DATA:queuestatus}\))?)

where:

FROM_EMAIL %{USERNAME:[from][emailname]}@%{HOSTNAME:[from][domain]}
QUEUEID (?:[A-F0-9]+|NOQUEUE)

But, neither of them work for log no.1, in the pipeline. What modifications should be done?

Thanks.

warkolm · December 27, 2017, 7:44am

Please show your entire config file.

subin · December 27, 2017, 7:58am

Please note that I've taken off %{SYSLOGBASE} from the aforementioned POST_QMGR syntax. So, now, my config file is:

input {
stdin {}
}

filter {

if [message] =~ /postfix\/qmgr\[\d+\]:/ {
grok {
patterns_dir => "/usr/share/logstash/patterns"
match => { "message" => "%{SYSLOGBASE} %{POST_QMGR}" }
tag_on_failure => [ "_grok_qmgr_fail" ]
add_tag => [ "_grok_postfix_success" ]
}
}

else {
mutate {
add_tag => ["_no_match"]
}
}

}

output {
elasticsearch {
hosts => [ "elk00.vpn:9200", "elk01.vpn:9200", "elk02.vpn:9200" ]
user => "logstash_logs"
password => "logstash_logs."
ssl => true
cacert => "/etc/logstash/ca.pem"
index => "logstash-postfix-%{+YYYY.MM.dd.HH.mm}"
}
stdout { codec => rubydebug }

This fails only for log no.1

Thanks.

subin · December 27, 2017, 10:19am

I've found the pipeline failing (but successful in debugger) for another log and filter. The log-line is:

Nov 11 19:17:33 ezm06-pco postfix/pickup[7864]: 3364E62F1D: uid=5000 from=<maddistevens2001@gmail.com>

And the filter is:

POST_PICKUP %{QUEUEID:qid}: uid=%{NUMBER:uid} from=<(%{FROM_EMAIL:from})?>

The common thing here is the field from=<user@domain.tld> that is contributing to the failure. If it's just from=<>, the filter works well in pipeline.

Hope this helps.

subin · December 27, 2017, 11:40am

Solved.

I replaced the initial syntax FROM_EMAIL with a simpler new syntax EMAIL:

EMAIL %{USERNAME:emailname}@%{HOSTNAME:domain}

It now works both in debugger and pipeline.

warkolm · December 27, 2017, 6:46pm

Thanks for sharing your solution!

system · January 24, 2018, 6:46pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
GROK pattern and Debugger Logstash	3	279	September 2, 2020
Grokparsefailure PostgreSQL Logstash	5	2288	June 27, 2018
Grok pattern works at debugger but filter Logstash	3	340	April 26, 2019
Grok failure, Grok debug OK Logstash	2	352	August 10, 2020
"_grokparsefailure" for pattern that works on grok debugger Logstash	3	688	July 16, 2020

Need logstash grok help

Related topics