Openam acess log grok filter

nikhilesh · August 21, 2020, 8:54am

Hi,

Can any please help on and provide the grok pattern for the below logs.
i want to get the uid(uid=12398938) in a separate field or if i can get the complete "uid=12398938,ou=people,dc=abcdef,dc=com" in seperate fields, that's also fine.

please help on this.

"2020-08-21 04:37:48" "Login Success|isNoSession=false" 10.114.14.128 "cn=dcdfeuser,ou=DHAME Users,dc=openam,dc=forgerock,dc=org" uid=12398938,ou=people,dc=abcdef,dc=com "Not Available" LDAPEmail b9a44251b39631e001 dc=openam,dc=forgerock,dc=org INFO 10.114.14.128 AUTHENTICATION-100

Thanks
NikhileshGade

Badger · August 21, 2020, 3:58pm

 grok { match => { "message" => "^%{QS} %{QS} %{IPV4} %{QS} %{NOTSPACE:id}" } }

will get you

"id" => "uid=12398938,ou=people,dc=abcdef,dc=com"

nikhilesh · August 24, 2020, 3:02pm

Thanks Badger,

How to test this in [Grok Debugger] ? could see pattern failed when tested with above. can u please help.

Thanks
Nikhilesh Gade

nikhilesh · August 24, 2020, 3:17pm

Thanks much, it worked:)

system · September 21, 2020, 3:17pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Grok capture index value with different patterns within the message Logstash	3	269	July 23, 2019
What is the grok pattern for find userid from message? Logstash	1	269	November 13, 2020
Grok Pattern For Access Log Logstash	3	4470	July 25, 2017
Logstash grok filter not working Logstash	4	350	February 9, 2021
Filter username or email address within space delimited string Logstash	4	308	March 9, 2021

Openam acess log grok filter

Related topics