Nexsus log grok parse

dh77hd · December 17, 2018, 2:54am

Hi.

I wanna parse Nexsus log using grok filter. But, it doesn't work.
please help me.

Here is my log
<189>: 2018 Dec 17 11:33:04 KST: %ETHPORT-5-IF_ADMIN_UP: Interface Ethernet1/40 is admin up .

and I want to parse like this.
<189>: => remove
2018 Dec 17 11:33:04 KST: => receive time
%ETHPORT-5-IF_ADMIN_UP: => facility - loglevel - mnemonic
Interface Ethernet1/40 is admin up . => message

Here is my grok filter
grok {
patterns_dir => [ "/etc/logstash/conf.d/patterns" ]
match => { "message" => "<%{INT:sequence}>:%{NEXUSTIMESTAMP:syslog_timestamp}: %%{DATA:facility}-%{INT:log-level}-%{DATA:facility_mnemonic}:%{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
add_tag => [ "success" ]
}

patterns file.
CISCOTIMESTAMPTZ %{CISCOTIMESTAMP}( %{TZ})?
NEXUSTIMESTAMP %{YEAR} %{MONTH} %{MONTHDAY} %{TIME}( %{TZ})?

Makra · December 17, 2018, 6:23am

@dh77hd

You have probably error at the end of timezone (CISCOTIMESTAMPTZ). The following grok works, you just need to build a pattern file out of it.

%{INT:sequence}>\:%{SPACE}%{YEAR}%{SPACE}%{MONTH}%{SPACE}%{MONTHDAY}%{SPACE}%{TIME}%{SPACE}%{WORD:tz}\:%{SPACE}%{NOTSPACE:facility}\-%{NOTSPACE:loglevel}\-%{NOTSPACE:facility_mnemonic}%{SPACE}%{GREEDYDATA:msg}

dh77hd · December 17, 2018, 7:57am

Thank you so much
It's works!

system · January 14, 2019, 7:57am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.