Q. grok filter pattern

jeongsyhd · September 16, 2018, 3:35am

I created a filter as shown below.
There are three types of logs, so there are three patterns.
log A can use the message if "action" in [message].
But what about log B and log C ?

log A: sip = 1.1.1.1 dip = 2.2.2.2 sport = 100 dport = 200 action = permit
log B: sip = 1.1.1.1 dip = 2.2.2.2 sport = 100 dport = 200 attack = 10.10.10.10
log C: sip = 1.1.1.1 dip = 2.2.2.2 attack = 10.10.10.10

filter {

  #log A
  if "action" in [message]
  {
           grok {match => {"message" => "grok_pattern_A"}}
  }

  #log B
  else if "???" in [message]
  {
           grok {match => {"message" => "grok_pattern _B"}}
  }

  #log C
  else if "???" in [message]
  {
           grok {match => {"message" => "grok_pattern _C"}}
  }

}

Thank you in advance.

Christian_Dahlqvist · September 16, 2018, 4:43am

Parse our the full part that contains key-value pairs using grok or dissect and then use the kv filter to parse this, not grok.

jeongsyhd · September 16, 2018, 6:52am

Can you show an example using the above log?

Christian_Dahlqvist · September 16, 2018, 11:03am

I meant something like this:

input {
  generator {
    lines => ['log A: sip = 1.1.1.1 dip = 2.2.2.2 sport = 100 dport = 200 action = permit',
              'log B: sip = 1.1.1.1 dip = 2.2.2.2 sport = 100 dport = 200 attack = 10.10.10.10',
              'log C: sip = 1.1.1.1 dip = 2.2.2.2 attack = 10.10.10.10']
    count => 1
  } 
} 

filter {
  dissect {
    mapping => {
      "message" => "%{initial_part}: %{kvpart}"
    }
  }

  mutate {
    gsub => ["kvpart", " = ", "="]
  }

  kv {
    source => "kvpart"
  }
}

output {
  stdout { codec => rubydebug }
}

jeongsyhd · September 16, 2018, 3:46pm

Thank you for showing me a good sample.

Can I use a grok filter instead of a dissect filter?
ex) grok {match => {"message" => "grok_pattern_B"}}

And is there any other way?

If there is a simpler way than the above method, I would like to do it.

Thank you in advance.

Christian_Dahlqvist · September 16, 2018, 3:48pm

You can use grok instead of the dissect filter, but for this example I thought it was easier. What about this approach is too complicated? Trying to use grok alone will likely be more complex as well as less efficient.

jeongsyhd · September 16, 2018, 4:23pm

Um ...
Actually, I did not understand the sample well.
Would you be willing to give me a little more detail?

Christian_Dahlqvist · September 16, 2018, 4:45pm

The dissect filter is used to put the full string containing the key-value pairs into a field named kvpart. The mutate part then removes spaces surrounding the equals sign so that the key-value string matches the default separators. The kv filter is then applied to parse out the fields.

system · October 14, 2018, 4:45pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.