Parse linux cron log

Hello,
I'm a newbie in ELK. i'm trying to parse cron log. i'm using grokdebugger to test my grok pattern.

my input is like this :
May 12 06:01:01 bela-vtu182 run-parts(/etc/cron.hourly)[28118]: starting 0anacron
May 12 06:01:01 bela-vtu182 run-parts(/etc/cron.hourly)[28127]: finished 0anacron
May 12 06:01:01 bela-vtu182 run-parts(/etc/cron.hourly)[28118]: starting fusioninventory-agent
May 12 06:01:01 bela-vtu182 run-parts(/etc/cron.hourly)[28134]: finished fusioninventory-agent
May 12 07:01:01 bela-vtu182 CROND[28338]: (root) CMD (run-parts /etc/cron.hourly)

my grok pattern is like this
%{MONTH:Month} %{MONTHDAY:Jour} %{TIME:Temps} %{HOSTNAME:Serveur} %{GREEDYDATA:autre}[%{NUMBER:ID}]: (%{USER:user})%{GREEDYDATA:commande}

my grok pattern function for lines who contain (root).

{
"Temps": "07:01:01",
"Serveur": "bela-vtu182",
"Month": "May",
"Jour": "12",
"ID": "28338",
"commande": " CMD (run-parts /etc/cron.hourly)",
"user": "root",
"autre": "CROND"
}

but it does not function for the others input lines.
I would like to add a condition, to remove the field "user" when it is not present.

Can someone help me?
Thank you by advance.

Hi,
I am using this expression (?:\[%{DATA:thread}\]) to match string in square brackets if it's present.
So I believe something like (?:\(%{USER:user}\)) should work for you.
Slashes are there as an escape character, while (?: ...) is probably the construction you were looking for

Hello Oozza,

Thank you very much, it helps me a lot.
finally i used the next pattern which seems to function
(?:(%{USER:user})|(%{GREEDYDATA:commande}))
The pipe used to indicate that we expect to have user or command line.

I close the discuss and declare it resolved.
Thank you.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.