I've been attempting to create some custom grok patterns for logstash. Most of them work fine, but one has got me stumped. The pattern is:
WINUSER (?<=User:\s)\w+
Here is a sample of the data that is being searched:
2015-04-14 14:06:18 exchange.ows1.osborneit.com INFO 1149 NT AUTHORITY\NETWORK SERVICE Remote Desktop Services: User authentication succeeded:
User: administrator
Domain: .
Source Network Address: 172.24.1.32
I have tested this on http://grokconstructor.appspot.com/do/match and it works correctly, but logstash seems to ignore it. I can't seem to figure out what I'm doing wrong.
Below is my logstash configuration:
input {
udp {
type => "eventlog"
codec => json
port => 5140
tags => ['windows', 'eventlog']
}
}
filter {
if [type] == "eventlog" {
grok {
match => [
"message", "%{IP:client}",
"message", "%{WINUSER:username}"
]
}
}
}
output {
elasticsearch { host => localhost }
stdout { codec => json }
}
Update: It appears that the issue is not with the pattern, but with the order of the match. If I move the WINUSER match above the IP match, it works, but the IP match doesn't. Not sure why both don't match.
It turns out the issue was with the filter section of the config file. I had to split the grok matches into multiple lines, like below.
filter {
if [type] == "eventlog" {
grok {
match => [ "message", "%{IPV4:client}" ]
}
grok {
match => [ "message", "%{WINUSER:username}" ]
}
}
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.