Working with a string:
user-identity: Delete IP-User mapping 555.55.55.555 - LOCAL\user Succeeded - VPN user logout
I'm trying to extract the user field without the 'LOCAL'. I can capture the IP and string 'logout' for the session, but not having success with removing the domain from the user. Each log is the same with it coming through as LOCAL.
Any help is appreciated.
Thank you.
How? Are you using grok? dissect? Something else? What have you tried?
Using grok and I've tried so far; %{GREEDYDATA} %{IPV4:ip} %{GREEDYDATA} %{GREEDYDATA:user} %{GREEDYDATA} %{GREEDYDATA} %{GREEDYDATA} %{GREEDYDATA} %{GREEDYDATA:session}
What does your entire message looks like. This is from Cisco ASA, right?
I use the following dissect to parse ASA log messages.
First I get the log id and message in different fields.
dissect {
mapping => {
"message" => "<%{}>%{timestamp}%%{[cisco][log][id]}:%{[cisco][log][message]}"
}
remove_field => ["message"]
}
mutate {
strip => ["timestamp","[cisco][log][message]"]
}
Then I filter each log id and use a dissect, in this case it would be:
if [cisco][log][id] == "ASA-7-746013" {
dissect {
mapping => {
"[cisco][log][message]" => "user-identity: Delete IP-User mapping %{[user][ip]} - %{[user][name]} %{} - %{[session][reason]}"
}
}
}
This would give me the field user.name with the value LOCAL\user, to get only the user I use a mutate filter.
mutate {
gsub => [
"[user][name]","[\\]" ,"",
"[user][name]","LOCAL" ,""
]
}
You can use grok to parse your log
user-identity: Delete IP-User mapping 192.168.0.1 - LOCAL\user Succeeded - VPN user logout
I just chaned correct IP format
Here is example of grok config
user-identity: %{WORD:action.name} IP-User mapping %{IP:user.ip} - %{WORD}\\%{USERNAME:user.name} %{WORD:action.status} - VPN user %{WORD:session.status}
The output looks like this:
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
