Problem with Grok debugger


#1

Hello
I have the problem with the Grok debugger.

I'm reading your post https://www.elastic.co/blog/grokking-the-linux-authorization-logs and I try to parse this sample line

Feb 21 21:56:12 localhost sshd[3430]: Invalid user test from 10.0.2.2

with this pattern

%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:system.auth.hostname} sshd(?:\[%{POSINT:system.auth.pid}\])?: %{DATA:system.auth.ssh.event} user %{DATA:system.auth.user} from %{IPORHOST:system.auth.ip}

but I have the message No match from http://grokdebug.herokuapp.com/

I'm trying with the Kibana debugger (I have the 6.2.1 version), but I have the same problem.

If I break the string in two, the first string before the ":" and the second string after the ":" it works, why?

Thank you for attention
Franco


(Makara) #2

Hi
@franco.federico

The pattern is working in http://grokdebug.herokuapp.com/
Probably you have a new line character at the end of pattern.


#3

Thank you Makra! It's incredible, now I'm copying and pasting the string in the grokdebugger and it goes on.

I try the same string in the grok debug on kibana and now it goes on.

Thank you for quickly response.

I'm continuing with the sample showed in the post that I link.
Bye
Franco


#4

I found the error

This one goes on

%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:system.auth.hostname} sshd(?:[%{POSINT:system.auth.pid}])?: %{DATA:system.auth.ssh.event} user %{DATA:system.auth.user} from %{IPORHOST:system.auth.ip}

Instead of this that is wrong for grokdebugger

%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:system.auth.hostname} sshd(?:\[%{POSINT:system.auth.pid}\])?: %{DATA:system.auth.ssh.event} user %{DATA:system.auth.user} from %{IPORHOST:system.auth.ip}

If you look there are "\" instead of "". Why?

Thank you again
Franco


(system) #5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.