Time out executing grok

Hello, I have problem with getting timeout executing grok. what I have learn that the value exceed limit. the error " Timeout executing grok against 'message' with value 'Value too large to output (1006 bytes)! First 255 chars are: "

here is the sample of the log (there are 13 point that i want to get and maybe the last point can be exclude)

// 1Sep 18 14:54:36 2hostname 3microsoft-windows-security-audit 44624 5An account was successfully logged on. Subject:Security ID:S-1-0-0Account Name:6**-Account Domain:7-Logon ID:0x0Logon Type:3New Logon:Security ID:S-1-5-21-1496626984-4026086081-1346473819-1199Account Name:8-Account Domain:9-Logon ID:0xbd421db9dLogon GUID:{00000000-0000-0000-0000-000000000000}Process Information:Process ID:0x0Process Name:-Network Information:Workstation Name:10-Source Network Address:11-Source Port:12-Detailed Authentication Information:13Logon Process:NtLmSsp Authentication Package:NTLMTransited Services:-Package Name (NTLM only):NTLM V2Key Length:128This event is generated when a logon session is created. Itis generated on the computer that was accessed.The subject fields indicate the account on the local systemwhich requested the logon. This is most commonly a servicesuch as the Server service, or a local process such asWinlogon.exe or Services.exe.The**

and for the grok+regex that i made

// match => { "message" => "%{SYSLOGTIMESTAMP:windows_timestamp} %{SYSLOGHOST:windows_hostname} (?<windows_service>\S+) %{POSINT:windows_eventid} (?<windows_event>.+?()|.))(.+?:.+?:.+?:)(?<windows_accname>.+?)(A.+?:)(?<windows_accdomain>.+?)(L.+?:.+?:.+?:.+?:)(?<windows_accName>.+)(A.+?:)(?<windows_accDomain>.+)(L.+?:.+:.+?:.+?:.+?:.+?:)(?<windows_workstation>.+)(S.+?:)(?<windows_srcip>.+)(S.+?:)(?<windows_srcport>.+)(D.+?:)%{GREEDYDATA:windows_message}" }

Any help would be greatly appreciated. Thanks in advanced

The problem is your overuse of .* and .+ (including GREEDYDATA). It's extremely inefficient and from what I can tell completely unnecessary. Pick more specific expressions and you'll be fine. Or could you even use a kv filter here? It looks like a consistently delimited list of key/value pairs.

I've never used kv filter but I will try it later. But right now i had new problem, it says

logstash[20341]: [833B blob data]

do you know what it means?

Is that it? No other messages in the surrounding context?

nope, I run "service logstash status" and it show that message and my logstash stop sending log to my elastic.

edited. its running now. there's a problem in my grok and now its running.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.