When migrating logstash from Centos to Debian I get the tag "_grokparsefailure"

Elastic Stack Logstash
1

I need to migrate the ELK stack from Centos to Debian, on the server I installed the same version of logstash and the same settings, rights and configs, but the logs are not parsed. The tag "_grokparsefailure" is assigned.

Log example

Nov 30 11:59:14 elkdeb snmptrapd[1231]: 2023-11-30 11:59:14 <UNKNOWN> [UDP: [10.0.15.113]:161->[10.10.1.29]:162]:#012DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (2292058400) 265 days, 6:49:44.00#011SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.3902.1082.500.10.3.1.80#011SNMPv2-SMI::enterprises.3902.1082.500.20.2.1.2.1.15.285278985.0 = STRING: "TEST"#011SNMPv2-SMI::enterprises.3902.1082.500.10.2.2.5.1.2.285278985.0 = Hex-STRING: 5A 54 45 47 C5 89 53 21 #011SNMPv2-SMI::enterprises.3902.1082.500.10.2.2.5.1.3.285278985.0 = Hex-STRING: 47 43 35 38 39 35 33 32 31 00 #011SNMPv2-SMI::enterprises.3902.1082.500.10.2.2.5.1.8.285278985.0 = STRING: "V9.0.0P1N1"#011SNMPv2-SMI::enterprises.3902.1082.500.10.2.2.5.1.9.285278985.0 = Hex-STRING: 07 E7 0B 14 10 30 0C 00 00 00 00

.conf file

input {
  file {
    path => "/var/log/rsyslog/snmptrap.log"
    type => "snmptraps"
  }
}


filter {

  if [type] == "snmptraps" {
    grok {
      patterns_dir => "/etc/logstash/patterns.t"
      match => { "message" => "%{FIN}" }
    }
    date {
      match => [ "[remote][timestamp]", "YYYY-MM-dd HH:mm:ss", "ISO8601" ]
      #timezone => "Asia/Bishkek"
    }
...

/etc/logstash/patterns.t/snmptrap2

SYSLOGTIMEHOST          %{SYSLOGTIMESTAMP:[local][time]} %{SYSLOGHOST:[local][host]} %{WORD:[local][daemon]}\[%{NUMBER:[local][pid]}\]:
ONTTIMEST               %{TIMESTAMP_ISO8601:[remote][timestamp]} %{DATA} \[%{WORD:protocol}: \[%{IP:[remote][ip]}\]:%{POSINT:[remote][port]}->\[%{IP:[local][ip]}\]:%{POSINT:[local][port]}\]:#012
SUTI                    (%{INT} day(s)?, )?%{TIME}
SAS                     %{SUTI:[OLT][uptime]}
ONNS                    ([0-9]|[0-9][0-9])
BASE                    %{NOTSPACE} = %{WORD}: \(%{NUMBER}\) %{SAS}#011%{NOTSPACE} = %{WORD}: %{NOTSPACE}enterprises.%{NOTSPACE:OID}
UNREG                   #011%{DATA}.%{INT:[ONT][port]}.%{ONNS:[ONT][ON]} = %{WORD}: "%{DATA:[ONT][version][hardware]}"#011%{NOTSPACE} = %{NOTSPACE}: %{DATA:[ONT][SN]} #011%{NOTSPACE} = %{NOTSPACE}: %{DATA}( )?#011%{NOTSPACE} = %{WORD}: "%{DATA:[ONT][version][software]}"#011%{NOTSPACE} = %{NOTSPACE}: %{DATA}
AEPOV                   #011%{NOTSPACE}enterprises.%{NOTSPACE:[zxAn][Power][SupplyInVoltage][code]} = %{WORD}: %{INT:[zxAn][Power][SupplyInVoltage][value]}#011%{NOTSPACE}enterprises.%{NOTSPACE:[zxAn][Power][InVoltageUpperThresh][code]} = %{WORD}: %{INT:[zxAn][Power][InVoltageUpperThresh][value]}
STAT                    #011%{NOTSPACE}::enterprises.%{DATA}.%{INT:[ONT][port]}.%{ONNS:[ONT][ON]} = %{WORD}: "%{DATA:[zxAn][GponOnuMgmt][Name]}"#011%{NOTSPACE} = %{WORD}: "%{DATA:[zxAn][GponOnuMgmt][TypeName]}"#011%{NOTSPACE} = %{WORD}: "%{DATA:[zxAn][GponOnuMgmt][Desc]}"#011%{NOTSPACE} = %{WORD}: "%{DATA:[zxAn][GponOnuMgmt][RegistrationInfo]}"
WHAT                    #011%{NOTSPACE}::enterprises.%{DATA}.%{INT:[ONT][port]}.%{ONNS:[ONT][ON]}.%{ONNS:[ONT][LANPORT]} = %{WORD}: %{INT:[zxAn][GponRmEthUni][ExpectedType]}

FIN                     %{SYSLOGTIMEHOST} %{ONTTIMEST}(%{BASE}(%{UNREG}|%{AEPOV}|%{STAT}|%{WHAT})|%{BASE})

Everything works fine on the Centos server, but not on Debian

2

Hi,

  1. Check the Logstash logs: Logstash logs can provide more information about why the grok filter is failing. The logs are typically located in /var/log/logstash/logstash-plain.log.
  2. Enable debug mode in Logstash by modifying the Logstash configuration file:

Open the Logstash configuration file usually located at /etc/logstash/logstash.yml.
Look for the line that starts with "log.level:".
Change the log level to "debug" by editing the line to read as follows: "log.level: debug".

3

There are too many logs, so I will give the important points in “my opinion”

[2023-11-30T16:52:31,836][DEBUG][logstash.filters.grok    ] Adding pattern {"SYSLOGTIMEHOST"=>"%{SYSLOGTIMESTAMP:[local][time]} %{SYSLOGHOST:[local][host]} %{WORD:[local][daemon]}\\[%{NUMBER:[local][pid]}\\]:"}
[2023-11-30T16:52:31,836][DEBUG][logstash.filters.grok    ] Adding pattern {"ONTTIMEST"=>"%{TIMESTAMP_ISO8601:[remote][timestamp]} %{DATA} \\[%{WORD:protocol}: \\[%{IP:[remote][ip]}\\]:%{POSINT:[remote][port]}->\\[%{IP:[local][ip]}\\]
:%{POSINT:[local][port]}\\]:#012"}
[2023-11-30T16:52:31,836][DEBUG][logstash.filters.grok    ] Adding pattern {"SUTI"=>"(%{INT} day(s)?, )?%{TIME}"}
[2023-11-30T16:52:31,836][DEBUG][logstash.filters.grok    ] Adding pattern {"SAS"=>"%{SUTI:[OLT][uptime]}"}
[2023-11-30T16:52:31,837][DEBUG][logstash.filters.grok    ] Adding pattern {"ONNS"=>"([0-9]|[0-9][0-9])"}
[2023-11-30T16:52:31,837][DEBUG][logstash.filters.grok    ] Adding pattern {"BASE"=>"%{NOTSPACE} = %{WORD}: \\(%{NUMBER}\\) %{SAS}#011%{NOTSPACE} = %{WORD}: %{NOTSPACE}enterprises.%{NOTSPACE:OID}"}
[2023-11-30T16:52:31,837][DEBUG][logstash.filters.grok    ] Adding pattern {"UNREG"=>"#011%{DATA}.%{INT:[ONT][port]}.%{ONNS:[ONT][ON]} = %{WORD}: \"%{DATA:[ONT][version][hardware]}\"#011%{NOTSPACE} = %{NOTSPACE}: %{DATA:[ONT][SN]} #01
1%{NOTSPACE} = %{NOTSPACE}: %{DATA}( )?#011%{NOTSPACE} = %{WORD}: \"%{DATA:[ONT][version][software]}\"#011%{NOTSPACE} = %{NOTSPACE}: %{DATA}"}
[2023-11-30T16:52:31,837][DEBUG][logstash.filters.grok    ] Adding pattern {"AEPOV"=>"#011%{NOTSPACE}enterprises.%{NOTSPACE:[zxAn][Power][SupplyInVoltage][code]} = %{WORD}: %{INT:[zxAn][Power][SupplyInVoltage][value]}#011%{NOTSPACE}en
terprises.%{NOTSPACE:[zxAn][Power][InVoltageUpperThresh][code]} = %{WORD}: %{INT:[zxAn][Power][InVoltageUpperThresh][value]}"}
[2023-11-30T16:52:31,838][DEBUG][logstash.filters.grok    ] Adding pattern {"STAT"=>"#011%{NOTSPACE}::enterprises.%{DATA}.%{INT:[ONT][port]}.%{ONNS:[ONT][ON]} = %{WORD}: \"%{DATA:[zxAn][GponOnuMgmt][Name]}\"#011%{NOTSPACE} = %{WORD}:
\"%{DATA:[zxAn][GponOnuMgmt][TypeName]}\"#011%{NOTSPACE} = %{WORD}: \"%{DATA:[zxAn][GponOnuMgmt][Desc]}\"#011%{NOTSPACE} = %{WORD}: \"%{DATA:[zxAn][GponOnuMgmt][RegistrationInfo]}\""}
[2023-11-30T16:52:31,838][DEBUG][logstash.filters.grok    ] Adding pattern {"WHAT"=>"#011%{NOTSPACE}::enterprises.%{DATA}.%{INT:[ONT][port]}.%{ONNS:[ONT][ON]}.%{ONNS:[ONT][LANPORT]} = %{WORD}: %{INT:[zxAn][GponRmEthUni][ExpectedType]}
"}
[2023-11-30T16:52:31,838][DEBUG][logstash.filters.grok    ] Adding pattern {"FIN"=>"%{SYSLOGTIMEHOST} %{ONTTIMEST}(%{BASE}(%{UNREG}|%{AEPOV}|%{STAT}|%{WHAT})|%{BASE})"}

...

[2023-11-30T16:52:31,866][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:%{SYSLOGTIMEHOST} %{ONTTIMEST}(%{BASE}(%{UNREG}|%{AEPOV}|%{STAT}|%{WHAT})|%{BASE}))
[2023-11-30T16:52:31,867][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:%{SYSLOGTIMESTAMP:[local][time]} %{SYSLOGHOST:[local][host]} %{WORD:[local][daemon]}\[%{NUMBER:[local][pid]}\]:)
[2023-11-30T16:52:31,869][DEBUG][logstash.filters.grok    ] replacement_pattern => (?<SYSLOGTIMESTAMP:[local][time]>%{MONTH} +%{MONTHDAY} %{TIME})
[2023-11-30T16:52:31,869][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:\b(?:[Jj]an(?:uary|uar)?|[Ff]eb(?:ruary|ruar)?|[Mm](?:a|ä)?r(?:ch|z)?|[Aa]pr(?:il)?|[Mm]a(?:y|i)?|[Jj]un(?:e|i)?|[Jj]ul(?:y)?|[Aa]ug(?:ust)?|[Ss]ep(
?:tember)?|[Oo](?:c|k)?t(?:ober)?|[Nn]ov(?:ember)?|[Dd]e(?:c|z)(?:ember)?)\b)
[2023-11-30T16:52:31,870][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9]))
[2023-11-30T16:52:31,870][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:(?!<[0-9])%{HOUR}:%{MINUTE}(?::%{SECOND})(?![0-9]))
[2023-11-30T16:52:31,871][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:(?:2[0123]|[01]?[0-9]))
[2023-11-30T16:52:31,871][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:(?:[0-5][0-9]))
[2023-11-30T16:52:31,871][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:(?:(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?))
[2023-11-30T16:52:31,872][DEBUG][logstash.filters.grok    ] replacement_pattern => (?<SYSLOGHOST:[local][host]>%{IPORHOST})
[2023-11-30T16:52:31,872][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:(?:%{IP}|%{HOSTNAME}))
[2023-11-30T16:52:31,872][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:(?:%{IPV6}|%{IPV4}))
[2023-11-30T16:52:31,873][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d
|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]
|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0
-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((2
5[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?)
[2023-11-30T16:52:31,873][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:(?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-
1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]))(?![0-9]))
[2023-11-30T16:52:31,873][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:\b(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\.?|\b))
[2023-11-30T16:52:31,874][DEBUG][logstash.filters.grok    ] replacement_pattern => (?<WORD:[local][daemon]>\b\w+\b)
[2023-11-30T16:52:31,874][DEBUG][logstash.filters.grok    ] replacement_pattern => (?<NUMBER:[local][pid]>(?:%{BASE10NUM}))
[2023-11-30T16:52:31,874][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))
[2023-11-30T16:52:31,874][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:%{TIMESTAMP_ISO8601:[remote][timestamp]} %{DATA} \[%{WORD:protocol}: \[%{IP:[remote][ip]}\]:%{POSINT:[remote][port]}->\[%{IP:[local][ip]}\]:%{POSINT
:[local][port]}\]:#012)
[2023-11-30T16:52:31,874][DEBUG][logstash.filters.grok    ] replacement_pattern => (?<TIMESTAMP_ISO8601:[remote][timestamp]>%{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?%{ISO8601_TIMEZONE}?)

...

[2023-11-30T16:52:31,916][DEBUG][logstash.filters.grok    ] Grok compiled OK {:pattern=>"%{FIN}", :expanded_pattern=>"(?:(?:(?<SYSLOGTIMESTAMP:[local][time]>(?:\\b(?:[Jj]an(?:uary|uar)?|[Ff]eb(?:ruary|ruar)?|[Mm](?:a|ä)?r(?:ch|z)?|[Aa
]pr(?:il)?|[Mm]a(?:y|i)?|[Jj]un(?:e|i)?|[Jj]ul(?:y)?|[Aa]ug(?:ust)?|[Ss]ep(?:tember)?|[Oo](?:c|k)?t(?:ober)?|[Nn]ov(?:ember)?|[Dd]e(?:c|z)(?:ember)?)\\b) +(?:(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9])) (?:(?!<[0-9])(?:(?:2[0123]|[01
]?[0-9])):(?:(?:[0-5][0-9]))(?::(?:(?:(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?)))(?![0-9]))) (?<SYSLOGHOST:[local][host]>(?:(?:(?:(?:(?:((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]
\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3})|:))|(([0-9A-Fa-f]{1,4}:)
{4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-
4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){
3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((
25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:)))(%.+)?)|(?:(?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0
-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]))(?![0-9]))))|(?:\\b(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\\b))))) (?<WORD:[local][daemon]>\\b\\w+\\b)\\[(?<NUMBER:[local][pid]>(?:(?:(?<![0-9.+-
])(?>[+-]?(?:(?:[0-9]+(?:\\.[0-9]+)?)|(?:\\.[0-9]+))))))\\]:) (?:(?<TIMESTAMP_ISO8601:[remote][timestamp]>(?:(?>\\d\\d){1,2})-(?:(?:0?[1-9]|1[0-2]))-(?:(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9]))[T ](?:(?:2[0123]|[01]?[0-9])):?(?:(?
:[0-5][0-9]))(?::?(?:(?:(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?)))?(?:(?:Z|[+-](?:(?:2[0123]|[01]?[0-9]))(?::?(?:(?:[0-5][0-9])))))?) (?:.*?) \\[(?<WORD:protocol>\\b\\w+\\b): \\[(?<IP:[remote][ip]>(?:(?:((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]
{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\
.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}
(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0
-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d))
{3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:)))(%.+)?)|(?:(?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0
-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]))(?![0-9]))))\\]:(?<POSINT:[remote][port]>\\b(?:[1-9][0-9]*)\\b)->\\[(?<IP:[local][ip]>(?:(?:((([0-9A-Fa-f]{1,4}:){7}([
0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-
9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]
{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((2
5[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[
1-9]?\\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:)))(%.+)?)|(?:(?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](
?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]))(?![0-9]))))\\]:(?<POSINT:[local][port]>\\b(?:[1-9][0-9]*)\\b)\\]:#012)((?:@varbind_list=\\[#<SNMP::VarBind:
(?:\\S+) @name=\\[(?<NOTSPACE:[snmptrap][varbind_1][name]>\\S+)\\],)((?:#011(?:.*?).(?<INT:[ONT][port]>(?:[+-]?(?:[0-9]+))).(?<ONNS:[ONT][ON]>([0-9]|[0-9][0-9])) = (?:\\b\\w+\\b): \"(?<DATA:[ONT][version][hardware]>.*?)\"#011(?:\\S+)
= (?:\\S+): (?<DATA:[ONT][SN]>.*?) #011(?:\\S+) = (?:\\S+): (?:.*?)( )?#011(?:\\S+) = (?:\\b\\w+\\b): \"(?<DATA:[ONT][version][software]>.*?)\"#011(?:\\S+) = (?:\\S+): (?:.*?))|(?:#011(?:\\S+)enterprises.(?<NOTSPACE:[zxAn][Power][Supp
lyInVoltage][code]>\\S+) = (?:\\b\\w+\\b): (?<INT:[zxAn][Power][SupplyInVoltage][value]>(?:[+-]?(?:[0-9]+)))#011(?:\\S+)enterprises.(?<NOTSPACE:[zxAn][Power][InVoltageUpperThresh][code]>\\S+) = (?:\\b\\w+\\b): (?<INT:[zxAn][Power][InV
oltageUpperThresh][value]>(?:[+-]?(?:[0-9]+))))|(?:#011(?:\\S+)::enterprises.(?:.*?).(?<INT:[ONT][port]>(?:[+-]?(?:[0-9]+))).(?<ONNS:[ONT][ON]>([0-9]|[0-9][0-9])) = (?:\\b\\w+\\b): \"(?<DATA:[zxAn][GponOnuMgmt][Name]>.*?)\"#011(?:\\S+
) = (?:\\b\\w+\\b): \"(?<DATA:[zxAn][GponOnuMgmt][TypeName]>.*?)\"#011(?:\\S+) = (?:\\b\\w+\\b): \"(?<DATA:[zxAn][GponOnuMgmt][Desc]>.*?)\"#011(?:\\S+) = (?:\\b\\w+\\b): \"(?<DATA:[zxAn][GponOnuMgmt][RegistrationInfo]>.*?)\")|(?:#011(
?:\\S+)::enterprises.(?:.*?).(?<INT:[ONT][port]>(?:[+-]?(?:[0-9]+))).(?<ONNS:[ONT][ON]>([0-9]|[0-9][0-9])).(?<ONNS:[ONT][LANPORT]>([0-9]|[0-9][0-9])) = (?:\\b\\w+\\b): (?<INT:[zxAn][GponRmEthUni][ExpectedType]>(?:[+-]?(?:[0-9]+)))))|(
?:@varbind_list=\\[#<SNMP::VarBind:(?:\\S+) @name=\\[(?<NOTSPACE:[snmptrap][varbind_1][name]>\\S+)\\],)))"}

...

[2023-11-30T16:52:52,460][DEBUG][logstash.pipeline        ] Pushing flush onto pipeline {:pipeline_id=>"main", :thread=>"#<Thread:0x46f53ee3 sleep>"}
[2023-11-30T16:52:54,940][DEBUG][filewatch.tailmode.handlers.grow] read_to_eof: get chunk
[2023-11-30T16:52:54,964][DEBUG][logstash.inputs.file     ] Received line {:path=>"/var/log/rsyslog/snmptrap.log", :text=>"Nov 29 16:35:14 elkdeb snmptrapd[1231]: 2023-11-29 16:35:14 <UNKNOWN> [UDP: [10.0.15.113]:161->[10.10.1.29]:162
]:#012DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (2292058400) 265 days, 6:49:44.00#011SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.3902.1082.500.10.3.1.80#011SNMPv2-SMI::enterprises.3902.1082.500.20.2.1.2.1.15.285278
985.0 = STRING: \"TEST\"#011SNMPv2-SMI::enterprises.3902.1082.500.10.2.2.5.1.2.285278985.0 = Hex-STRING: 5A 54 45 47 C5 89 53 21 #011SNMPv2-SMI::enterprises.3902.1082.500.10.2.2.5.1.3.285278985.0 = Hex-STRING: 47 43 35 38 39 35 33 32
31 00 #011SNMPv2-SMI::enterprises.3902.1082.500.10.2.2.5.1.8.285278985.0 = STRING: \"V9.0.0P1N1\"#011SNMPv2-SMI::enterprises.3902.1082.500.10.2.2.5.1.9.285278985.0 = Hex-STRING: 07 E7 0B 14 10 30 0C 00 00 00 00"}
[2023-11-30T16:52:55,081][DEBUG][filewatch.sincedbcollection] writing sincedb (delta since last write = 1701341575)
[2023-11-30T16:52:55,186][DEBUG][logstash.pipeline        ] filter received {"event"=>{"host"=>"elkdeb", "message"=>"Nov 29 16:35:14 elkdeb snmptrapd[1231]: 2023-11-29 16:35:14 <UNKNOWN> [UDP: [10.0.15.113]:161->[10.10.1.29]:162]:#012
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (2292058400) 265 days, 6:49:44.00#011SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.3902.1082.500.10.3.1.80#011SNMPv2-SMI::enterprises.3902.1082.500.20.2.1.2.1.15.285278985.0
= STRING: \"TEST\"#011SNMPv2-SMI::enterprises.3902.1082.500.10.2.2.5.1.2.285278985.0 = Hex-STRING: 5A 54 45 47 C5 89 53 21 #011SNMPv2-SMI::enterprises.3902.1082.500.10.2.2.5.1.3.285278985.0 = Hex-STRING: 47 43 35 38 39 35 33 32 31 00
#011SNMPv2-SMI::enterprises.3902.1082.500.10.2.2.5.1.8.285278985.0 = STRING: \"V9.0.0P1N1\"#011SNMPv2-SMI::enterprises.3902.1082.500.10.2.2.5.1.9.285278985.0 = Hex-STRING: 07 E7 0B 14 10 30 0C 00 00 00 00", "@version"=>"1", "type"=>"s
nmptraps", "@timestamp"=>2023-11-30T10:52:55.043Z, "path"=>"/var/log/rsyslog/snmptrap.log"}}
[2023-11-30T16:52:55,218][DEBUG][logstash.filters.grok    ] Running grok filter {:event=>#<LogStash::Event:0x37722acd>}
[2023-11-30T16:52:55,258][DEBUG][logstash.filters.grok    ] Event now:  {:event=>#<LogStash::Event:0x37722acd>}
[2023-11-30T16:52:55,278][DEBUG][logstash.filters.mutate  ] gsub mutation is only applicable for strings and arrays of strings, skipping {:field=>"[ONT][SN]", :value=>nil}
[2023-11-30T16:52:55,290][DEBUG][logstash.filters.mutate  ] gsub mutation is only applicable for strings and arrays of strings, skipping {:field=>"hex_ont", :value=>nil}
[2023-11-30T16:52:55,291][DEBUG][logstash.filters.mutate  ] gsub mutation is only applicable for strings and arrays of strings, skipping {:field=>"hex_ont", :value=>nil}
[2023-11-30T16:52:55,292][DEBUG][logstash.filters.mutate  ] gsub mutation is only applicable for strings and arrays of strings, skipping {:field=>"hex_ont", :value=>nil}
[2023-11-30T16:52:55,292][DEBUG][logstash.filters.mutate  ] gsub mutation is only applicable for strings and arrays of strings, skipping {:field=>"hex_ont", :value=>nil}
[2023-11-30T16:52:55,292][DEBUG][logstash.filters.mutate  ] gsub mutation is only applicable for strings and arrays of strings, skipping {:field=>"hex_ont", :value=>nil}
[2023-11-30T16:52:55,294][DEBUG][logstash.filters.mutate  ] gsub mutation is only applicable for strings and arrays of strings, skipping {:field=>"[ONT][SN]", :value=>nil}
[2023-11-30T16:52:55,294][DEBUG][logstash.filters.mutate  ] gsub mutation is only applicable for strings and arrays of strings, skipping {:field=>"[ONT][SN]", :value=>nil}
[2023-11-30T16:52:55,294][DEBUG][logstash.filters.mutate  ] gsub mutation is only applicable for strings and arrays of strings, skipping {:field=>"[ONT][SN]", :value=>nil}
[2023-11-30T16:52:55,295][DEBUG][logstash.filters.mutate  ] gsub mutation is only applicable for strings and arrays of strings, skipping {:field=>"[ONT][SN]", :value=>nil}
[2023-11-30T16:52:55,305][DEBUG][logstash.pipeline        ] output received {"event"=>{"host"=>"elkdeb", "message"=>"Nov 29 16:35:14 elkdeb snmptrapd[1231]: 2023-11-29 16:35:14 <UNKNOWN> [UDP: [10.0.15.113]:161->[10.10.1.29]:162]:#012
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (2292058400) 265 days, 6:49:44.00#011SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.3902.1082.500.10.3.1.80#011SNMPv2-SMI::enterprises.3902.1082.500.20.2.1.2.1.15.285278985.0
= STRING: \"TEST\"#011SNMPv2-SMI::enterprises.3902.1082.500.10.2.2.5.1.2.285278985.0 = Hex-STRING: 5A 54 45 47 C5 89 53 21 #011SNMPv2-SMI::enterprises.3902.1082.500.10.2.2.5.1.3.285278985.0 = Hex-STRING: 47 43 35 38 39 35 33 32 31 00
#011SNMPv2-SMI::enterprises.3902.1082.500.10.2.2.5.1.8.285278985.0 = STRING: \"V9.0.0P1N1\"#011SNMPv2-SMI::enterprises.3902.1082.500.10.2.2.5.1.9.285278985.0 = Hex-STRING: 07 E7 0B 14 10 30 0C 00 00 00 00", "@version"=>"1", "type"=>"s
nmptraps", "@timestamp"=>2023-11-30T10:52:55.043Z, "path"=>"/var/log/rsyslog/snmptrap.log", "tags"=>["_grokparsefailure"]}}
[2023-11-30T16:52:55,389][DEBUG][logstash.outputs.opensearch] Sending final bulk request for batch. {:action_count=>1, :payload_size=>1028, :content_length=>1028, :batch_offset=>0}

I don’t understand what “replacement_pattern” does and “Grok compiled OK {:pattern=>”%{FIN}”, :expanded_pattern=>” is this what it should look like? It looks strange

4

OpenSearch/OpenDistro are AWS run products and differ from the original Elasticsearch and Kibana products that Elastic builds and maintains. You may need to contact them directly for further assistance.

(This is an automated response from your friendly Elastic bot. Please report this post if you have any suggestions or concerns :elasticheart: )

5

don't worry I was asking about logstash

6

I solved the problem. I completely checked the "Grok compiled OK" from the logs with my pattern and noticed that the "BASE" pattern is displayed as:

(?:@varbind_list=\\[#<SNMP::VarBind:(?:\\S+) @name=\\[(?<NOTSPACE:[snmptrap][varbind_1][name]>\\S+)\\],)

And I realized that this is a pattern from /etc/logstash/patterns.t/snmptrap

BASE         @varbind_list=\[#<SNMP::VarBind:%{NOTSPACE} @name=\[%{NOTSPACE:[snmptrap][varbind_1][name]}\],

I changed the name of the pattern and everything worked. Does logstash work differently on Centos and Debian? In Centos they are reassigned as variables

7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.