Timestamp does not match data

tjunge · February 26, 2022, 9:39pm

Hi,

I am new to Elastic Stack and trying to filter my fail2ban log.

In Grok Debugger I tried to simulate my Grok pattern on my data but have problems with the timestamp. I always get the simulate error: Provided Grok patterns do not match data in the input.

Input:

Feb 25 09:29:09 fail2ban-server[35630]: fail2ban.actions [35630]: NOTICE  [postfix-gateways-soft] Ban 2001:41d0:8:ca94::/

Grok pattern:

%{SYSLOGTIMESTAMP} %{WORD:src_action} *\[%{INT:fail2ban_digit}\]: %{LOGLEVEL:loglevel} *\[%{NOTSPACE:service}\] %{WORD:ban_status} %{IP:clientip}

2022-02-26 22_09_22-Window

If I use the input without date and time I got an output as expected

fail2ban-server[35630]: fail2ban.actions [35630]: NOTICE  [postfix-gateways-soft] Ban 2001:41d0:8:ca94::

%{WORD:src_action} *\[%{INT:fail2ban_digit}\]: %{LOGLEVEL:loglevel} *\[%{NOTSPACE:service}\] %{WORD:ban_status} %{IP:clientip}

{
  "service": "postfix-gateways-soft",
  "loglevel": "NOTICE",
  "clientip": "2001:41d0:8:ca94::",
  "ban_status": "Ban",
  "src_action": "actions",
  "fail2ban_digit": "35630"
}

How can I get it working with the timestamp at the beginning of the input?

Thanks for your help in advance.

Tom

Badger · February 26, 2022, 9:48pm

tjunge:

Feb 25 09:29:09 fail2ban-server[35630]: fail2ban.actions [35630]: NOTICE  [postfix-gateways-soft] Ban 2001:41d0:8:ca94::/

Grok pattern:

%{SYSLOGTIMESTAMP} %{WORD:src_action} *\[%{INT:fail2ban_digit}\]: %{LOGLEVEL:loglevel} *\[%{NOTSPACE:service}\] %{WORD:ban_status} %{IP:clientip}

SYSLOGTIMESTAMP will consume 'Feb 25 09:29:09'. WORD:src_action will match the following 'fail2ban'. Then there nothing in your pattern to match '-server[35630]: fail2ban.actions'. You need to add to your grok pattern to match that.

tjunge · February 27, 2022, 2:21pm

Badger

thanks a lot for this hint.
That helped me to solve the problem

%{SYSLOGTIMESTAMP:timestamp} %{WORD:log_service_1}-%{WORD:log_service_2}\[%{INT:fail2ban_digit}\]: %{WORD:log_src}.%{WORD:src_action} *\[%{INT:fail2ban_digit}\]: %{LOGLEVEL:loglevel} *\[%{NOTSPACE:service}\] %{WORD:ban_status} %{IP:clientip}

Output:

{
  "ban_status": "Ban",
  "log_src": "fail2ban",
  "log_2": "server",
  "log_1": "fail2ban",
  "service": "postfix-gateways-soft",
  "loglevel": "NOTICE",
  "clientip": "2001:41d0:8:ca94::",
  "src_action": "actions",
  "fail2ban_digit": "35640",
  "timestamp": "Feb 25 09:29:09"
}

system · March 27, 2022, 2:21pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Provided Grok patterns do not match data in the input Logstash	5	2399	February 2, 2020
Grok date parsing trouble Logstash	3	23023	July 6, 2017
Logstash - Unable to match date pattern Logstash	2	589	July 31, 2018
Logstash timestamp issue Logstash	4	486	March 6, 2017
@Timestamp is not matching event timestamp _dateparsefailure Logstash	3	162	November 2, 2023

Timestamp does not match data

Related topics