Grok patterns #26

fredericgoossens · 2023-03-05T15:58:49Z

Someone who has grok paterns for this so it can be parsed using logstash?

fredericgoossens · 2023-03-05T16:17:32Z

Made this one for the ftp service:

'timestamp': '%{TIMESTAMP_ISO8601:timestamp}', 'server': '%{WORD:service}', 'action': '%{WORD:action}', 'data': {'cmd': '%{WORD:cmd}', 'args': %{QUOTEDSTRING:args}}, 'src_ip': '%{IP:src_ip}', 'src_port': '%{NUMBER:src_port}', 'dest_ip': '%{IP:dest_ip}', 'dest_port': '%{NUMBER:dest_port}'

just5ky · 2023-03-06T22:44:49Z

Just FYI,
Logstash has JSON filter plugin which will parse it out

input {
}

filter {
json {
source => "message"
}
}

output {
}

fredericgoossens · 2023-03-15T14:37:06Z

Thanks for letting me know. But what you're suggesting still needs some tuning. I currently have the following logstash filter:

input {
  beats {
    port => 5044
  }
}

filter {
        mutate {
          gsub => [
            "message", "'", '"',
            "message", ": None\b", ": null",
            "message", ": True\b", ": true",
            "message", "\\\\x", "\\\\\\\\x",
            "message", "\\x", "\\\\x",
            "message", "\\x", "\\\\u00"
          ]
        }
    json { source => "message" remove_field => [ "message" ] }
}


output {
  elasticsearch {
    hosts => ["http://localhost:9200"]
    index => "xubuntu-%{[@metadata][version]}"
  }
}

Some logs are not getting parsed correctly

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Grok patterns #26

Grok patterns #26

fredericgoossens commented Mar 5, 2023

fredericgoossens commented Mar 5, 2023

just5ky commented Mar 6, 2023

fredericgoossens commented Mar 15, 2023 •

edited

Grok patterns #26

Grok patterns #26

Comments

fredericgoossens commented Mar 5, 2023

fredericgoossens commented Mar 5, 2023

just5ky commented Mar 6, 2023

fredericgoossens commented Mar 15, 2023 • edited

fredericgoossens commented Mar 15, 2023 •

edited