[Solved] Logstash pattern issue

raamee · March 8, 2017, 6:57am

Hi,

I came across a weird issue.

I made a grok pattern that works well and matches my log in http://grokdebug.herokuapp.com, but when I use the same pattern in my logstash, its not working properly. I get a field mismatch. Please check below:

This is the log:

Tue Mar 7 12:23:41 2017 : Auth: (49087) Login incorrect (eap_peap: TLS Alert write:fatal:decode error): [johndoe] (from client WIFI-Control-Dev port 13 cli bb-41-e2-1c-12-12)

Grok pattern:

(%{NOTSPACE:removed}) %{DATA:AUTHWAY} (?:(%{DATA:removed}))?: (?:[%{DATA:username}]) (from client %{NOTSPACE:radius_client} port %{INT:radius_port}(?: cli %{NOTSPACE:radius_cli})?(?: via %{DATA:radius_via})?)

In Grok debugger, its working but not in my server. In my server, the logstash config read as:

filter {
if [type] == "radius-auth" {
grok {
patterns_dir => "/etc/logstash/patterns/"
match => [ "message", "%{FREERADIUS_LINE}" ]
}
if [fr_logclass] == "Auth" {
grok {
patterns_dir => "/etc/logstash/patterns/"
match => [ "fr_message", "%{FREERADIUS_AUTH}" ]
}
}
date {
match => [ "timestamp" , "EEE MMM dd HH:mm:ss YYYY",
"EEE MMM d HH:mm:ss YYYY"]
}
}

/etc/logstash/patterns/radius-auth.pattern contains

FREERADIUS_DATE %{DAY} %{MONTH}  ?%{MONTHDAY} %{TIME} %{YEAR}
FREERADIUS_LOGTYPE Auth|Info|Error|Proxy
FREERADIUS_CLIENT %{NOTSPACE:radius_client}
FREERADIUS_PORT %{INT:radius_port}
FREERADIUS_CLI %{NOTSPACE:radius_cli}
FREERADIUS_VIA %{DATA:radius_via}
FREERADIUS_FROM \(from client %{FREERADIUS_CLIENT} port %{FREERADIUS_PORT}(?: cli %{FREERADIUS_CLI})?(?: via %{FREERADIUS_VIA})?\)
FREERADIUS_USERNAME %{DATA:username}
FREERADIUS_REASON (?:\(%{DATA:radius_reason}\))?:
FREERADIUS_MODULE \brlm_[a-z]+\b

# Auth log lines
FREERADIUS_LOGINOK \(%{NOTSPACE:removed}\) %{GREEDYDATA:AUTHWAY}: \[%{FREERADIUS_USERNAME}\] %{FREERADIUS_FROM}
FREERADIUS_LOGININCORRECT \(%{NOTSPACE:removed}\) %{DATA:AUTHWAY} (?:\(%{DATA:radius_reason}\))?: (?:\[%{DATA:username}\]) \(from client %{NOTSPACE:radius_client} port %{INT:radius_port}(?: cli %{NOTSPACE:radius_cli})?(?: via %{DATA:radius_via})?\)
FREERADIUS_INVALIDUSER \(%{NOTSPACE:removed}\) %{GREEDYDATA:AUTHWAY}: \[%{FREERADIUS_USERNAME}\] %{FREERADIUS_FROM}
FREERADIUS_AUTH (?:%{FREERADIUS_LOGINOK}|%{FREERADIUS_LOGININCORRECT}|%{FREERADIUS_INVALIDUSER})

# Main match on whole log line:
FREERADIUS_LINE %{FREERADIUS_DATE:timestamp} : %{FREERADIUS_LOGTYPE:fr_logclass}: +%{GREEDYDATA:fr_message}

But in my server, the radius_reason field is not getting separated and its merging with AUTHWAY field.

Ruby debug:

{
       "fr_message" => "(49087) Login incorrect (eap_peap: TLS Alert write:fatal:decode error): [johndoe] (from client WIFI-Control-Dev port 13 cli bb-41-e2-1c-12-12)",
           "offset" => 185,
          "AUTHWAY" => "Login incorrect (eap_peap: TLS Alert write:fatal:decode error)",
       "input_type" => "log",
      "radius_port" => "13",
           "source" => "/var/log/radius/radius.log",
          "message" => "Tue Mar  7 12:23:41 2017 : Auth: (49087) Login incorrect (eap_peap: TLS Alert write:fatal:decode error): [johndoe] (from client WIFI-Control-Dev port 13 cli bb-41-e2-1c-12-12)",
             "type" => "radius-auth",
             "tags" => [
        [0] "beats_input_codec_plain_applied"
    ],
       "@timestamp" => 2017-03-07T12:23:41.000Z,
      "fr_logclass" => "Auth",
          "removed" => "49087",
    "radius_client" => "WIFI-Control-Dev",
         "@version" => "1",
             "beat" => {
        "hostname" => "localhost.localdomain",
            "name" => "localhost.localdomain",
         "version" => "5.1.1"
    },
             "host" => "localhost.localdomain",
       "radius_cli" => "bb-41-e2-1c-12-12",
        "timestamp" => "Tue Mar  7 12:23:41 2017",
         "username" => "johndoe"
}

The AUTHWAY field should only contain "Login Incorrect" . But it is also accompanied by "(eap_peap: TLS Alert write:fatal:decode error)" which should be in separate field as "radius_reason". In online grok debugger, both displayed as separate field, but not in my server.

Any idea how to resolve?

Thank you.

magnusbaeck · March 9, 2017, 7:00pm

I don't have time to dig into all the details, but I strongly suggest that you reduce your use of GREEDYDATA and DATA, especially since you have optional matches (the ? operator). Try to make more exact expressions.

raamee · March 10, 2017, 4:28am

Ok, thank you . I will check further. I'm with this issue since 5 days and couldn't figure out why.

raamee · March 15, 2017, 6:51am

So after thinking further, I found a way to make it work.

This is the grok pattern I used and it works both in grok debugger and in server.

(%{DATA:removed}) %{DATA:AUTHWAY}(?::)? (?:((.*?)):)?%{SPACE}[%{DATA:username}] (from client %{NOTSPACE:radius_client} port %{INT:radius_port}(?: cli %{NOTSPACE:radius_cli})?(?: via %{DATA:radius_via})?)

Here I used (?::)? (?:\((.*?)\):)?%{SPACE} instead of (?:\(%{DATA:radius_reason}\))?: which was in the grok pattern earlier I posted in first post.

system · April 12, 2017, 6:51am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Newb Grok parsing failures, teach me how to fish? Logstash	2	1128	July 6, 2017
Grok result can not find my data field Logstash	3	370	July 6, 2017
Logstash GROK pattern not accepted Logstash	5	882	May 27, 2019
Getting _grokparsefailure for grok pattern on [audit_data][messages] field for modsecurity json log? Logstash	5	217	February 23, 2024
Grok Pattern not matching in Logstash, but matches in Grok Debuggger Logstash	9	513	September 11, 2019

[Solved] Logstash pattern issue

Related topics