Shibboleth Auth Logs _grokparsefailure


#1

How filebeat sends my shibboleth logs.
/etc/filebeat/filebeat.yml
Note: Code is truncated.

#--------------------------- Prospectors Path ---------------------------------
#filebeat.config.inputs:
#  enabled: true
#  path: /etc/filebeat/conf.d/*.yml
#
filebeat.config.prospectors:
enabled: true
path: /etc/filebeat/conf.d/*.yml

This is my filebeat config for shibboleth log shipping.
/etc/filebeat/conf.d/shibb.yml

====================================SHIBBOLETH========== =========================================
- type: log 
  paths:
  - /var/log/shibboleth/idp-process.log

exclude_lines: ['^DBG']
tags: ["shibboleth"]

# Include lines. A list of regular expressions to match. It exports the lines that are
# matching any regular expression from the list.
#include_lines: ['^ERR', '^WARN']

# Exclude files. A list of regular expressions to match. Filebeat drops the files that
# are matching any regular expression from the list. By default, no files are dropped.
exclude_files: ['.gz$']

# Optional additional fields. These fields can be freely picked
# to add additional information to the crawled log files for filtering
fields:
  level: debug
  review: 1

This is my shiv-dev code.

input {
generator {
	count => 1 
	message => "2018-09-27 21:23:54,633 - INFO [org.ldaptive.auth.Authenticator:282] - Authentication succeeded for dn: CN=jane.doe192,OU=Students,DC=three,DC=fifty,DC=onion"

}
}

filter {

grok { 
	match => { 
		"message" => "%{TIMESTAMP_ISO8601:logdate} - %{LOGLEVEL:log_level} (?<ldap-notes>\[[a-zA-Z0-9.:]*\]) - Authentication %{DATA:Success} for dn: %{GREEDYDATA:dubs}"
	}
}

kv {
	source => "dubs"
	field_split => ","
}

mutate {
   gsub => ["[dubs]", "DC|OU|CN|=", ""]
   split => { "[dubs]" => "," } # creates an array of strings in the [message] field]
   add_field => {
		"Common Name" => "%{[dubs][2]}.%{[dubs][3]}.%{[dubs][4]}"
   }
   remove_field => [ "DC" ]

   remove_tag => [ "othertags" ]
   }



mutate {
    # Original message has been fully parsed, so remove it.
    remove_field => [ "message" ]
	# Remove kv_pairs to avoid duplicate logs
    remove_field => [ "dubs" ]
}

}

output { stdout { codec => rubydebug } }

Sample output of dev code.

{
 "@timestamp" => 2018-10-05T18:49:18.663Z,
    "logdate" => "2018-09-27 21:23:54,633",
 "ldap-notes" => "[org.ldaptive.auth.Authenticator:282]",
   "@version" => "1",
    "Success" => "succeeded",
       "host" => "localhost",
   "sequence" => 0,
  "log_level" => "INFO",
         "CN" => "jane.doe192",
"Common Name" => "three.fifty.onion",
         "OU" => "Students"
}

I'm getting a _grokparsefailure and for the life of me can't figure out why I'm getting this error.

I was able to turn on debbuging.

[2018-10-05T14:39:23,556][DEBUG][logstash.pipeline        ] filter received {"event"=>{"beat"=>{"name"=>"logserver", "hostname"=>"local.host.name", "version"=>"6.3.2"}, "prospector"=>{"type"=>"log"}, "message"=>"2018-10-05 21:27:41,822 - INFO [org.ldaptive.auth.Authenticator:282] - Authentication failed for dn: CN=jane.doe057,OU=Staff,DC=three,DC=fifty,DC=onion", "tags"=>["shibboleth", "beats_input_codec_plain_applied"], "offset"=>27724776, "source"=>"/var/log/shibboleth/idp-process.log", "@timestamp"=>2018-10-05T21:39:21.163Z, "host"=>{"name"=>"serverSendingLogs"}, "fields"=>{"level"=>"debug", "env"=>"production", "review"=>1}, "input"=>{"type"=>"log"}, "@version"=>"1"}}

(system) #2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.