Netscaler grok pattern

ssi · May 2, 2017, 11:55am

Hi

i've googled the following grok pattern for this as follows

if [type] == "Netscaler" {
grok {

match => [
"message", "<%{POSINT:syslog_pri}> <ns_syslog_timestamp>%{DATE}:%{TIME} %{SYSLOGHOST:syslog_hostname} %{GREEDYDATA:netscaler_message} : %{DATA} %{IP:source_ip}:%{POSINT:source_port} - %{DATA} %{IP:vserver_ip}:%{POSINT:vserver_port} - %{DATA} %{IP:nat_ip}:%{POSINT:nat_port} - %{DATA} %{IP:destination_ip}:%{POSINT:destination_port} - %{DATA} %{DATE_US:DELINK_DATE}:%{TIME:DELINK_TIME} GMT - %{DATA} %{POSINT:total_bytes_sent} - %{DATA} %{POSINT:total_bytes_recv}",
"message", "<%{POSINT:syslog_pri}> <ns_syslog_timestamp>%{DATE}:%{TIME} %{SYSLOGHOST:syslog_hostname} %{GREEDYDATA:netscaler_message} : %{DATA} %{IP:source_ip}:%{POSINT:source_port} - %{DATA} %{IP:destination_ip}:%{POSINT:destination_port} - %{DATA} %{DATE_US:START_DATE}:%{TIME:START_TIME} GMT - %{DATA} %{DATE_US:END_DATE}:%{TIME:END_TIME} GMT - %{DATA} %{POSINT:total_bytes_sent} - %{DATA} %{POSINT:total_bytes_recv}",
"message", "<%{POSINT:syslog_pri}> <ns_syslog_timestamp>%{DATE}:%{TIME} %{SYSLOGHOST:syslog_hostname} %{GREEDYDATA:netscaler_message} : %{DATA} %{INT:netscaler_spcbid} - %{DATA} %{IP:clientip} - %{DATA} %{INT:netscaler_client_port} - %{DATA} %{IP:netscaler_vserver_ip} - %{DATA} %{INT:netscaler_vserver_port} %{GREEDYDATA:netscaler_message} - %{DATA} %{WORD:netscaler_session_type}",
"message", "<%{POSINT:syslog_pri}> <ns_syslog_timestamp>%{DATE}:%{TIME} %{SYSLOGHOST:syslog_hostname} %{GREEDYDATA:netscaler_message}"
]
}

but it ends up as, best i can tell, not being parsed:

@timestamp May 2nd 2017, 13:44:29.823
t @version 1
t _id AVvI-dyf7s6S-ye7T3AQ
t _index netscaler-2017.05.02

_score -

t _type Netscaler
t host 172.17.20.190
t message <134> 05/02/2017:11:44:29 GMT dc2-ns1-vpx1 0-PPE-0 : default TCP CONN_DELINK 588243517 0 : Source 172.17.200.144:63435 - Vserver XXX.XX.214.171:80 - NatIP XXX.XX.214.170:32206 - Destination XXX.XX.214.164:80 - Delink Time 05/02/2017:11:44:29 GMT - Total_bytes_send 12112 - Total_bytes_recv 6717
t tags _grokparsefailure
t type Netscaler

what am i missing here or is there a better/simpler way to handle netscaler syslog logfiles?

system · May 30, 2017, 12:07pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.