Parsing advise

sta02 · September 5, 2022, 7:49pm

Hello All,

How can I parse the below message? The below events are sent over syslog, and the output is sent to Sentinel.

I tried to use the KV filter but its failing, as part of parsing, I should also extract the username - F5@abc76

"message" => "1 2022-09-02T09:34:26.418481+02:00 FR0398.prod.lan tmm2 21491 01490521:5: [F5@abc76 hostname="FR0398.prod.lan" errdefs_msgno="01490521:5:" partition_name="Prod" session_id="6d27b4ab" Access_Profile="/Prod/nod2.aun.fesp" Partition="Prod" Session_ID="6d27b4ab" Bytes_In="7416300" Bytes_Out="13721229"] /Prod/nod2.aun.fesp:Prod:6d27b4ab: Session statistics - bytes in: 7416300, bytes out: 13721229"

Please advise.

--
Thanks in Advance.
Siddarth

leandrojmp · September 5, 2022, 8:39pm

What have you tried? Please share the config you are using.

You should use the kv filter, but you need first to use the dissect filter to extract the kv part from the rest of your message.

You didn't specify which fields you want to extract, but you will need something like this:

dissect {
    mapping => {
        "message" => "%{} %{timestamp} %{[host][name]} %{}[F5@%{[user][name]} %{kvMsg}]%{}"
    }
}

This will extract some fields, and put your key-value date in the field kvMsg.

hostname="FR0398.prod.lan" errdefs_msgno="01490521:5:" partition_name="Prod" session_id="6d27b4ab" Access_Profile="/Prod/nod2.aun.fesp" Partition="Prod" Session_ID="6d27b4ab" Bytes_In="7416300" Bytes_Out="13721229"

So you can use the kv filter with this field.

sta02 · September 6, 2022, 9:16am

Hello @leandrojmp ,

Thank you for your response. I tried to implement it. In my lab, it works fine (I used stdout to check if the filter was working fine), however, when I moved the code to Prod, where the output is directed to Sentinel, the dissect filter and all the filters are failing.

sta02 · September 6, 2022, 9:17am

@leandrojmp , I am attaching a snipping from the Prod. Please advise.

--
Thanks in Advance.
Siddarth

leandrojmp · September 6, 2022, 12:21pm

This message is completely different from the one you shared.

The dissect filter I shared as an example will only work with messages that have the same format you shared before, if you have different messages you will need to build other dissect filters and find a way to use conditionals to filter your messages.

system · October 4, 2022, 12:22pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.