Unable to parse data with grok

Eshwar_K · February 11, 2025, 12:38pm

Hi Team,

I have following logs and trying to parse with grok pattern but not able to get proper grok pattern for it. Kindly help me to to parse data into JSON format.

I am trying to write the pattern as below.

2025-01-19 23:56:49,Major,WIN-T0RGB9G66A7,Event Description: The client will block traffic from IP address 192.168.10.62 for the next 600 seconds (from 1/19/2025 11:56:45 PM to 1/20/2025 12:06:45 AM). ,Event Type: Active Response,Local Host IP: 192.168.10.52,Local Host MAC: 000C29F0E882,Remote Host Name: ,Remote Host IP: 192.168.10.62,Remote Host MAC: 000C292124E3,Inbound,OTHERS,,Begin: 2025-01-19 23:56:45,End Time: 2025-01-20 00:06:45,Occurrences: 1,Application: ,Location: Default,User Name: Administrator,Domain Name: WIN-T0RGB9G66A7,Local Port: 0,Remote Port: 0,CIDS Signature ID: 0,CIDS Signature string: ,CIDS Signature SubID: 0,Intrusion URL: ,Intrusion Payload URL: ,SHA-256: ,MD-5: ,Intensive Protection Level: N/A,URL Risk: N/A,URL Category: N/A,Correlation ID:

Thank you in advance.

Regards,
Eshwar

Badger · February 11, 2025, 12:55pm

I wouldn't use grok for that. You could start with

    dissect { mapping => { "message" => "%{[@metadata][timestamp]},%{field1},%{[host][name]},%{[@metadata][restOfLine]}" } }
    date { match => [ "[@metadata][timestamp]", "YYYY-MM-dd HH:mm:ss" ] }
    kv { source => "[@metadata][restOfLine]" field_split => "," value_split => ":" }

Topic		Replies	Views
Can anyone please help me how can i parse this firewall log? Logstash	10	449	July 24, 2019
How to parse this format of log Logstash	6	320	August 5, 2019
How to parse json in grok Logstash	3	7451	May 24, 2018
Logstash Snort Log Parse Error Logstash	3	540	October 26, 2018
Having problems parsing data Logstash	4	307	February 18, 2021

Unable to parse data with grok

Related topics