Openam acess log grok filter

nikhilesh · August 21, 2020, 8:54am

Hi,

Can any please help on and provide the grok pattern for the below logs.
i want to get the uid(uid=12398938) in a separate field or if i can get the complete "uid=12398938,ou=people,dc=abcdef,dc=com" in seperate fields, that's also fine.

please help on this.

"2020-08-21 04:37:48" "Login Success|isNoSession=false" 10.114.14.128 "cn=dcdfeuser,ou=DHAME Users,dc=openam,dc=forgerock,dc=org" uid=12398938,ou=people,dc=abcdef,dc=com "Not Available" LDAPEmail b9a44251b39631e001 dc=openam,dc=forgerock,dc=org INFO 10.114.14.128 AUTHENTICATION-100

Thanks
NikhileshGade

Badger · August 21, 2020, 3:58pm

 grok { match => { "message" => "^%{QS} %{QS} %{IPV4} %{QS} %{NOTSPACE:id}" } }

will get you

"id" => "uid=12398938,ou=people,dc=abcdef,dc=com"

nikhilesh · August 24, 2020, 3:02pm

Thanks Badger,

How to test this in [Grok Debugger] ? could see pattern failed when tested with above. can u please help.

Thanks
Nikhilesh Gade

nikhilesh · August 24, 2020, 3:17pm

Thanks much, it worked:)

system · September 21, 2020, 3:17pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.