Hi Community,
I've multiline logs of Symantec message gateway (email server).
{"port":49542,"host":"10.10.x.x","type":"smg","message":"<158>Mar 2 16:21:59 smtp01 bmserver: 1614684119|0a0a5199-534c370000006c49-29-603e1fd7fcf8|MSG_SIZE|3682","@timestamp":"2021-03-04T07:57:47.190Z","@version":"1"}
Problem is that I couldn't combine logs that contains same value of "0a0a5199-534c370000006c49-29-603e1fd7fcf8". I'm using regex value like this one
input {
tcp {
port => 5097
type => "smg"
codec => multiline {
pattern => "\d+|(.*?)|"
what => "next"
}
}
}
What it does is like it checks if there is one or more digit and after digit, there must be pipe "|", in between two pipes "|" and "|" there is value. When you match it, then please combine all the lines that contain the same value of unique id like this one "0a0a5199-534c370000006c49-29-603e1fd7fcf8".
This identifier "0a0a5199-534c370000006c49-29-603e1fd7fcf8" is getting changed but I am unable to combine the logs of unique based on the unique identifier.
These are the logs entries where unique identifier is "0a0a5199-534c370000006c49-29-603e1fd7fcf8":
{"port":49542,"host":"10.10.x.x","type":"smg","message":"<158>Mar 2 16:21:59 smtp01 bmserver: 1614684119|0a0a5199-534c370000006c49-29-603e1fd7fcf8|MSG_SIZE|3682","@timestamp":"2021-03-04T07:57:47.190Z","@version":"1"}
{"port":49542,"host":"10.10.x.x","type":"smg","message":"<158>Mar 2 16:21:59 smtp01 bmserver: 1614684119|0a0a5199-534c370000006c49-29-603e1fd7fcf8|EHLO|hostname_here","@timestamp":"2021-03-04T07:57:47.190Z","@version":"1"}
{"port":49542,"host":"10.10.x.x","type":"smg","message":"<158>Mar 2 16:21:59 smtp01 bmserver: 1614684119|0a0a5199-534c370000006c49-29-603e1fd7fcf8|LOGICAL_IP|10.10.81.133","@timestamp":"2021-03-04T07:57:47.190Z","@version":"1"}
{"port":49542,"host":"10.10.x.x","type":"smg","message":"<158>Mar 2 16:21:59 smtp01 bmserver: 1614684119|0a0a5199-534c370000006c49-29-603e1fd7fcf8|UNTESTED|xyz@gmail.com|submission|spam|bulk|newsletter|suspicious_url|gray|safe|opl|has_urls|unscannable_pmc|content_740|content_1423808626610|content_1532019171118|content_500|content_1542184136209|content_1614087423761|content_720|content_750|content_600|content_1454394469379|content_1530882675851|content_1543489360725|content_1548324806784|content_1415274004379|content_700|content_1569318369896|content_730|content_760|content_1569928837176|content_1548326156991|content_1507892598349|content_520|content_521|content_710|sys_deny_ip|sys_allow_ip|sys_allow_email|sys_deny_email|dns_allow|dns_deny|user_allow|user_deny|freq_va|freq_dha|freq_sa|connection_class_0|connection_class_1|connection_class_2|connection_class_3|connection_class_4|connection_class_5|connection_class_6|connection_class_7|connection_class_8|connection_class_9|senderauth_batv_sign|senderauth_batv_fail|blockedlang|knownlang","@timestamp":"2021-03-04T07:57:47.190Z","@version":"1"}
And here are the logs where unique identifier is 0a0a5199-534c370000006c49-2b-603e1fdc40df
{"port":49542,"host":"10.10.x.x","type":"smg","message":"<158>Mar 2 16:22:04 smtp01 bmserver: 1614684124|0a0a5199-534c370000006c49-2b-603e1fdc40df|MSG_SIZE|4447","@timestamp":"2021-03-04T07:57:47.190Z","@version":"1"}
{"port":49542,"host":"10.10.x.x","type":"smg","message":"<158>Mar 2 16:22:04 smtp01 bmserver: 1614684124|0a0a5199-534c370000006c49-2b-603e1fdc40df|EHLO|hostname","@timestamp":"2021-03-04T07:57:47.190Z","@version":"1"}
{"port":49542,"host":"10.10.x.x","type":"smg","message":"<158>Mar 2 16:22:04 smtp01 bmserver: 1614684124|0a0a5199-534c370000006c49-2b-603e1fdc40df|LOGICAL_IP|10.10.x.x","@timestamp":"2021-03-04T07:57:47.190Z","@version":"1"}
Output Desired
There should be only two logs entries becuase unique identifiers are two. How can I achieve it? Please help ...