Writing multiline grok

Vikash_Singh1 · April 24, 2019, 10:02am

HI I am trying to write grok for apache mod security logs.
GET /images/new2.gif HTTP/1.1
Accept: /
Referer: http://www.rrcat.gov.in/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: www.rrcat.gov.in
X-Forwarded-For: 131.225.32.36
If-Modified-Since: Tue, 23 Feb 2016 05:48:34 GMT
Cache-Control: max-stale=0
Connection: Keep-Alive
Pragma: no-cache
X-BlueCoat-Via: 7060c08b1ceaae72
Above is the sample input for my file
although I have decoded the first line but can't understand how to decode the next lines
Please help me with it
The grok pattern for first line is
%{WORD:method}%{SPACE}%{URIPATHPARAM:request}%{SPACE}%{WORD:protocol}

Vikash_Singh1 · April 24, 2019, 10:03am

Grok pattern in above message is wrong...the correct one is:
%{CISCO_REASON:method}%{URIPATHPARAM:access}%{SPACE}%{WORD:protocol}/%{NUMBER:version}

Vikash_Singh1 · April 24, 2019, 11:26am

Like what should I do to segregate the next lines..

Badger · April 24, 2019, 2:33pm

You could match against an array of patterns.

    grok {
        match  => {
            "message" => [
                "^Accept: %{GREEDYDATA:accept}",
                "^Referer: %{GREEDYDATA:referrer}",
                "^Accept-Language: %{GREEDYDATA:accept-language}",
                "^User-Agent: %{GREEDYDATA:user-agent}",
                "^Accept-Encoding: %{GREEDYDATA:accept-encoding}"
            ]
        }
    }

Vikash_Singh1 · April 25, 2019, 5:11am

My full grok will look like:
grok {
match => {
"message" => [ %{CISCO_REASON:method} %{URIPATHPARAM:access} %{URIPROTO:http_proto}/%{NUMBER:version}
"^Accept: %{GREEDYDATA:accept}",
"^Referer: %{GREEDYDATA:referrer}",
"^Accept-Language: %{GREEDYDATA:accept-language}",
"^User-Agent: %{GREEDYDATA:user-agent}",
"^Accept-Encoding: %{GREEDYDATA:accept-encoding}"
]
}
}
???

Vikash_Singh1 · April 25, 2019, 5:18am

I am trying to match the pattern in Grok debugger (Dev Tool) in kibana.

Badger · April 25, 2019, 2:01pm

You would probably want to set 'break_on_match => false' if you configure it that way.

Vikash_Singh1 · April 26, 2019, 5:46am

I tried but facing problems in my grok. My grok looks like
input {
file {
path => "/elk/Weblog/*"
start_position => "beginning"
}
}
filter
{
grok {
break_on_match => false
match => { "message" => "%{CISCO_REASON:method}" "%{URIPATHPARAM:access}" "%{URIPROTO:http_proto}"/"%{NUMBER:version}",
"^Accept: %{GREEDYDATA:accept}",
"^Referer: %{GREEDYDATA:referrer}",
"^Accept-Language: %{GREEDYDATA:accept-language}",
"^User-Agent: %{GREEDYDATA:user-agent}",
"^Accept-Encoding: %{GREEDYDATA:accept-encoding}"}

}
output
{
elasticsearch {
hosts => ["10.11.109.7:9200"]
index => "logstash_apchelogs"
}
}

system · May 24, 2019, 5:46am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.