Grok patterns

Question

Grok patterns

fredericgoossens opened this issue 2 years ago · 3 comments

Someone who has grok paterns for this so it can be parsed using logstash?

Answer 1 · 2023-03-05T16:17:32.000Z

Made this one for the ftp service:

'timestamp': '%{TIMESTAMP_ISO8601:timestamp}', 'server': '%{WORD:service}', 'action': '%{WORD:action}', 'data': {'cmd': '%{WORD:cmd}', 'args': %{QUOTEDSTRING:args}}, 'src_ip': '%{IP:src_ip}', 'src_port': '%{NUMBER:src_port}', 'dest_ip': '%{IP:dest_ip}', 'dest_port': '%{NUMBER:dest_port}'

Answer 2 · 2023-03-06T22:44:49.000Z

Just FYI,
Logstash has JSON filter plugin which will parse it out

input {
}

filter {
json {
source => "message"
}
}

output {
}

Answer 3 · 2023-03-15T14:37:06.000Z

Thanks for letting me know. But what you're suggesting still needs some tuning. I currently have the following logstash filter:

input {
  beats {
    port => 5044
  }
}

filter {
        mutate {
          gsub => [
            "message", "'", '"',
            "message", ": None\b", ": null",
            "message", ": True\b", ": true",
            "message", "\\\\x", "\\\\\\\\x",
            "message", "\\x", "\\\\x",
            "message", "\\x", "\\\\u00"
          ]
        }
    json { source => "message" remove_field => [ "message" ] }
}


output {
  elasticsearch {
    hosts => ["http://localhost:9200"]
    index => "xubuntu-%{[@metadata][version]}"
  }
}

Some logs are not getting parsed correctly