Pattern logstash to get multi information in log but log don't have exactly format for problem

Tr_ng_Trang · January 6, 2017, 2:38am

I have problem to write pattern to get information on logstash, after [severity "CRITICAL"] i want to get all word have tag before like [tag "language-multi"] [tag "platform-multi"] i will get language-multi and platform-multi but i don't exactly number of tag word, and i just want to get information after tag, if after ver like [ver "OWASP_CRS/3.0.0"] i will dont get.
can solution for my problem?
thanks you all.

[severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "10.84.86.187"] [uri "/"] [unique_id "WGTACH8AAAEAAEQ0krkAAAAQ"]
 [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "10.84.86.187"]

eperry · January 6, 2017, 4:10am

Then your going to want to split the line

since your format is pretty well formated it should be easy.

I am thinking of something like the following

Use the kv plugin to just split everything in to different fields, don't worry about the actual data you want, parse it all and then you can go from there.

https://www.elastic.co/guide/en/logstash/current/plugins-filters-kv.html#plugins-filters-kv-value_split

filter {
  kv {
    field_split => "\]\["
    value_split => "\ "
  }
}

Tr_ng_Trang · January 6, 2017, 8:32am

thanksyou friend, i will check it.

system · February 3, 2017, 8:32am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.