Netscout arbor legacy syslog parsing - Audit log issue

leandrojmp · April 14, 2022, 12:37pm

Your field split is not a space, it is a comma.

Try this kv

filter {
    kv {
        field_split => ","
        value_split => ":"
        trim_key => "\s"
    }
}

Running it for the message

user: kyloren, timestamp: 18:21 04/12/22, device: FW-DOS01, name: PG-FW-01-DD, action: Update, type: Protection Group, message: , descr_short: Updated Protection Group PG-FW-01-DD, descr_long: Updated Protection Group PG-FW-01-DD, url: https://FW-DOS01/audittrail?audit_component=25&audit_obj_id=161

It gives the following result:

{
      "timestamp" => "18:21 04/12/22",
           "name" => "PG-FW-01-DD",
           "user" => "kyloren",
    "descr_short" => "Updated Protection Group PG-FW-01-DD",
       "@version" => "1",
            "url" => "https://FW-DOS01/audittrail?audit_component=25&audit_obj_id=161",
     "@timestamp" => 2022-04-14T12:37:04.320Z,
         "action" => "Update",
        "message" => "user: kyloren, timestamp: 18:21 04/12/22, device: FW-DOS01, name: PG-FW-01-DD, action: Update, type: Protection Group, message: , descr_short: Updated Protection Group PG-FW-01-DD, descr_long: Updated Protection Group PG-FW-01-DD, url: https://FW-DOS01/audittrail?audit_component=25&audit_obj_id=161",
     "descr_long" => "Updated Protection Group PG-FW-01-DD",
         "device" => "FW-DOS01",
           "type" => "Protection Group"
}

Topic		Replies	Views
Improper behaviour of Logstash kv filter Logstash	5	325	October 22, 2020
Need support in parsing Syslog messages Logstash	11	5153	July 6, 2017
Parsing advise Logstash	5	287	October 4, 2022
Parse syslog from Syslog Logstash	12	6844	March 25, 2019
How to parse Syslog messages Logstash	3	5118	December 7, 2016

Netscout arbor legacy syslog parsing - Audit log issue

Related topics