Pipeline to parse SSL certificate data from httpd message lines?

I am new to ELK, and need to figure out a way to pull a username out of the httpd messages I am currently sending to logstash. the message lines look like this:

100.100.100.200 - - [16/Jan/2019:19:35:55 +0000] "GET /xx/api/notifications?cacheBuster=1547667357681 HTTP/1.1" 200 2 "https://www.testsite.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36" SSL_DN='cn=userabc123,ou=Component,ou=XXX,ou=XXX,o=TheCompany,c=us' SSL_DUTY_AGENCY='' SSL_CITIZENSHIP='' SSL_ADMIN_ORG='' SSL_CLEARANCE=''  999999

I need to be able to parse out the userabc123 into a separate metric, but haven't found any pre-built code that can do it for me. Has anyone here come across a similar issue?

I would do that using dissect.

dissect { mapping => { "message" => "%{}SSL_DN='cn=%{user1},%{}" } }
1 Like

Thanks, Badger. I'll give that a try!

So here is how I Implemented that into my pipeline file, but I'm clearly not doing it right - Any advice?

input {
beats {
port => 5044
}
}

filter {
grok {
match => { "dissect { mapping => { "message" => "%{}SSL_DN='cn=%{user1},%{}" } } "}
}

}

output {
elasticsearch {
hosts => "localhost:9200"
manage_template => false
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
}
}

grok is one type of filter, dissect is another. Whilst grok solves a lot of pattern matching problems, dissect solves some of them more efficiently, so it is good to have both in your toolbox. Try

filter {
    dissect { mapping => { "message" => "%{}SSL_DN='cn=%{user1},%{}" } }
}

This assumes that the cn= field never contains a comma (it says that the comma ends the %{user1} field. But you would have the same fragility in grok. It looks like you could match "SSL_DN='cn=%{WORD:user2}" but what if the user name is more complex than a WORD?

Either way, it should get you started.

1 Like

Exactly what I needed. Thanks for all the help!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.