Problem while using dissect plugin to parse logs

Elastic Stack Logstash
1

Hi

i have a requirement of parsing netstat logs using logstash, sample logs looks like bellow:

samplelog
samplelog1366×768 26.8 KB

the logstash configuration which i tried is here:

input {
file
{
path => "/home/samplelog"
start_position => "beginning"
}
}

filter {
dissect {
mapping => {
"message" => "TIME: %{time}
%{}"
}
}

if [message] =~ /^\s+(TCP|UDP)/ {
dissect {
mapping => {
"message" => "%{?tmp->} %{Protocol->} %{localAdd->} %{Foreign Address->} %{state}"
}
}
} else {
drop {}
}

}

output
{
if "_grokparsefailure" not in [tags]
{
elasticsearch {
hosts => ["localhost:9200"]
index => "anyindex"
}
}

stdout { codec => rubydebug }
}

resulted outcome from above configuration is :

{
"Protocol" => "TCP",
"localAdd" => "",
"time" => "",
"path" => "/home/avk03/JarAndZip/jar-file/config/logstash-6.1.1/Logs/try.txt",
"state" => " 0.0.0.0:445 0.0.0.0:0 LISTENING",
"@timestamp" => 2018-06-15T10:08:19.779Z,
"@version" => "1",
"message" => " TCP 0.0.0.0:445 0.0.0.0:0 LISTENING",
"host" => "avk03-Vostro-3800",
"Foreign Address" => ""
}

the parser is not reading lines Which contains TIME data, i am not able to resolve this issue please help.

2

The pattern for the TIME field has a newline in it. If you are not using multiline codec and split as described in this thread it will not work as all lines will be processed separately and therefore not contain any newline.

3

Yes i got where i did mistake now after using multiline codec and split filter, parser is working fine.:slight_smile:

@timestamp": "2018-06-26T07:50:10.161Z",
"Foreign Address": "0.0.0.0:0",
"message": " TCP 0.0.0.0:10 0.0.0.0:0 Ramya",
"localAdd": "0.0.0.0:10",
"tags": [
"multiline"
],
"Protocol": "TCP",
"@version": "1",
"host": "avk03-Vostro-3800",
"path": "/home/avk03/JarAndZip/jar-file/config/logstash-6.1.1/Logs/abc",
"state": "ESTABLISHED",
"time": "16:14:30.13"

Now i have to convert above time to date object using date filter, is it possible only for time in logstash ?? Please reply

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.