New to ELK - looking for Grok filter docs and help

dotson83 · January 3, 2017, 8:37pm

Hello,

I am new to ELK and I'm having issues with Grok. I'm trying to parse logs that look similar to this:

"message" => "<188>362233: Jan 3 15:17:27: %IGMP_QUERIER-4-ZERO_SRC_IP_ADDR: An IGMP General Query packet with source IP address that contained all zeroes is received in VLAN 1 on port Gi2/0/52.",

This is from a Cisco switch. I would like to pull the <188> and 362233 as well as the date and time out of the message but I'm not sure how to do it. I tried Grok and I think I made it match (how can I confirm?) the <188> part using %BASE10NUM:syslog_pri filter but it was still in the message part even though it did make a new tag called syslog_pri.

Also, where can I find documentation on what the built in regex filters actually do? I'm not very good with regex so I need a little explanation (I did find the actual expressions on github).

Thank you for the help!

warkolm · January 3, 2017, 10:54pm

What do you have so far?

dotson83 · January 3, 2017, 11:09pm

Well, I’ve changed it a lot but right now I’ve started over and have this:

input {
tcp {
port => 514

}
udp {
port => 514

}
}

filter {
grok {
match => ["message", "%{BASE10NUM}:syslog_pri}: %{GREEDYDATA}"]
}
syslog_pri {
}

}
output {
elasticsearch { hosts => ["localhost:9200"] }
stdout { codec => rubydebug }
}

Right now I’m just trying to parse the first part.

This is giving my a grok failure though but it worked earlier so I’m not sure why.

magnusbaeck · January 4, 2017, 7:28am

And what's the result of the stdout { codec => rubydebug } output?

Please always format configuration snippets and logs as preformatted text.

nick.e · January 4, 2017, 8:06am

Your match-pattern should look something like
<%{BASE10NUM:syslog_pri}>%{INT:test}: %{SYSLOGTIMESTAMP}: %{GREEDYDATA}

To test your grok I recommend Grok Debugger, you can insert your log line in the top field and your grok-patterns in the bottom.

All builtin grok-patterns can be found in the documentation:

magnusbaeck · January 4, 2017, 8:14am

Your match-pattern should look something like

This is true, although since there's no implicit ^ anchor in the grok filter I'd expect his existing expression to match anyway.

dotson83 · January 4, 2017, 3:02pm

And what's the result of the stdout { codec => rubydebug } output?

     "message" => "<188>362403: Jan  3 18:06:12: %IGMP_QUERIER-4-ZERO_SRC_IP_ADDR: An IGMP General Query packet with source IP address that contained all zeroes is received in VLAN 1 on port Gi2/0/52.",
            "@version" => "1",
          "@timestamp" => "2017-01-03T23:06:13.834Z",
                "host" => "10.93.1.2",
                "tags" => [
    [0] "_grokparsefailure"
],
"syslog_severity_code" => 5,
"syslog_facility_code" => 1,
     "syslog_facility" => "user-level",
     "syslog_severity" => "notice"

}

dotson83 · January 4, 2017, 3:08pm

Your match-pattern should look something like
<%{BASE10NUM:syslog_pri}>%{INT:test}: %{SYSLOGTIMESTAMP}: %{GREEDYDATA}

Thank you, I will try that out and let you know how it goes. The whole thing should still be in quotes right?

dotson83 · January 4, 2017, 3:48pm

Nick,

Thank you, that worked!

My last question is now that I've got the tags working now do I remove the content from the message?

Would I use mutate for this? Also, what is the purpose of matching data but not tagging it? What I mean is what does adding %{SYSLOGTIMESTAMP}: %{GREEDYDATA} without the :tag part do?

Thanks again for the help guys.``

dotson83 · January 4, 2017, 6:19pm

Ok, so I tried mutate but I can't figure out how to make it match what I want to remove.

Here is my current config:

        input {
          tcp {
            port => 514

      }
      udp {
        port => 514

      }
    }

    filter {
    grok {
    match   => ["message",  "<%{BASE10NUM:syslog_pri}>%{INT:seq}: %{SYSLOGTIMESTAMP}: %{GREEDYDATA}"]
    }
    syslog_pri {
    }
    mutate {
    remove_field => [ "message_%{BASE10NUM:syslog_pri}"]
    }
    }
    output {
      elasticsearch { hosts => ["localhost:9200"] }
      stdout { codec => rubydebug }
    }

This doesn't match anything.

How do I tell it it's part of the message but only remove a certain part? I got this far by using the docs but I'm apparently doing something wrong.

magnusbaeck · January 4, 2017, 6:53pm

Capture the stuff you want to keep back into the message field. Remember to set the overwrite option.

grok {
  match => ["message", "... %{GREEDYDATA:message}"]
  overwrite => ["message"]
}

dotson83 · January 4, 2017, 8:58pm

That did the trick.

Thank you!

So this wouldn't be possible with mutate then?

I'm just trying to figure out why mutate didn't work.

magnusbaeck · January 8, 2017, 4:46pm

So this wouldn't be possible with mutate then?

What you tried to do won't work but the mutate filter's gsub option would do the job (but it's more work for you).

dotson83 · January 8, 2017, 6:09pm

Oh ok, I was just curious.

Everything is working fine now.

Thanks again for the help.

system · February 5, 2017, 6:09pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.