Regroupe LDAP log lines with same id on the same DataTable raw

Noureddine_Brahmi · November 21, 2018, 9:53am

Hello,

I'm currently working on an ElasticSearch project that monitors LDAP logs.

In the LDAP logs, related events shares the same id (connection_number). I was wondering is there is a solution to regroupe the various fieds in different documents that shares the same id.

Ex:

[04/Aug/2018:22:34:15 +0200] conn=184214 op=0 msgId=1 - BIND dn="cn=XOPOY,ou=programs,o=psa" method=128 version=3

[04/Aug/2018:22:34:15 +0200] conn=184214 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0.000450 dn="cn=mwplim02,ou=programs,o=psa"

[04/Aug/2018:22:34:15 +0200] conn=184214 op=2 msgId=3 - UNBIND

The goal is to have a datatable with:

TIMESTAMP | conn | dn (from the BIND) | err | etime

PS: I already have a grok filter in place that sperates the various fields

Thank you !

Marius_Dragomir · November 22, 2018, 11:50am

Something like this has to be done most likely at ingest time. I think the Logstash team will able to help you more with this. You can ask in their part of the forums.

Noureddine_Brahmi · November 22, 2018, 12:07pm

Thanks for the reply, I will do that.

system · December 20, 2018, 12:07pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.