Parse log file line by line

pen120 · April 6, 2023, 1:18pm

I have a log file with output repetitive below, I want to parse this log line by line in fields to extract the value for each line

10:31:07 2022/10/16 ZBXTRAP 192.168.23.2
PDU INFO:
  messageid                      0
  community                      public
  errorindex                     0
  transactionid                  2
  errorstatus                    0
  version                        1
  notificationtype               TRAP
  requestid                      646956120
  receivedfrom                   UDP: [192.168.23.2]:32768->[192.168.23.99]:162
VARBINDS:
  DISMAN-EVENT-MIB::sysUpTimeInstance type=67 value=Timeticks: (3644796808) 421                                                            days, 20:26:08.08
  SNMPv2-MIB::snmpTrapOID.0      type=6  value=OID: SNMPv2-SMI::enterprises.6302                                                           .2.1.5.1
  SNMPv2-SMI::enterprises.6302.2.1.4.1.1 type=65 value=Counter32: 1280
  SNMPv2-SMI::enterprises.6302.2.1.4.1.2 type=4  value=Hex-STRING: 07 DE 08 07 0                                                           6 16 07 00 2B 00 00
  SNMPv2-SMI::enterprises.6302.2.1.4.1.3 type=2  value=INTEGER: 2
  SNMPv2-SMI::enterprises.6302.2.1.4.1.4 type=2  value=INTEGER: 3
  SNMPv2-SMI::enterprises.6302.2.1.4.1.5 type=4  value=STRING: "Mains Failure, its owner: Power System"
  SNMPv2-SMI::enterprises.6302.2.1.4.1.6 type=2  value=INTEGER: 78325

my logstash script that give a message field:

input {
  file {
    path => "/var/log/snmptrap/snmptrap.log"
    start_position => "beginning"
    sincedb_path => "/dev/null"
    codec => multiline{
      pattern =>"%{DATE:date} %{TIME:time}"
      negate =>true
      what => "previous"
    }
  }
}
output {
        elasticsearch {
        hosts => ["127.0.0.1:9200"]
        }
}

leandrojmp · April 6, 2023, 1:20pm

If you want to parse it line by line you need to remove the multiline codec from your input.

This will make every line in the log you shared independent from each other.

pen120 · April 6, 2023, 1:37pm

I have a repetitive bloc with the same format of lines, how to have a entry in Kibana of each bloc if I suppress multiline codec?
i have used multiline codec to parse to message field in logstash,
how to parse message field

Badger · April 6, 2023, 1:58pm

You could use grok. See this thread for an example.

system · May 4, 2023, 1:59pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.