I want to parse these logs by single grok filter. The First log have 5 arguments and the second log has 2 arguments. One way is doing it by using two grok filters but if there is a good method other then that, please guide me. I also use the Logical 'OR' after the second argument in the filter but the filter only parse the log till the end of second argument and ignore the other.
If you take a look, your messages have a header portion - type=EXECVE msg=audit(1585994474.430:1397) - and a payload portion - argc=5 a0="script" a1="-q" a2="-c" a3=6563686F2044415441 a4="file_to_write".
You can use a grok filter to parse the header, putting the payload in a temporary @metadata field.
Thank You @rcowart buddy. I have done using Logical Operator "OR", previously i was not using OR operator in a right way that satisfy my requirement. type=%{WORD:[type]} msg=audit\(%{NUMBER}:%{NUMBER:[auditd][log][sequence]}\): (%{GREEDYDATA})?(a0=\"%{DATA:[a0]}\" a1=\"%{DATA:[a1]}\" a2=\"%{DATA:[a2]}\" a3=\"%{DATA:[a3]}\" a4=\"%{DATA:[a4]}\"|a0=\"%{DATA:[a0]}\" a1=\"%{DATA:[a1]}\")
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
