How to skip the beginning of a message with Grok Patterns?

Question

I am trying to extract only the last part of a Linux log using Grok Patterns in Graylog, but it's harder than I tought.

Here's the message that I receive:

Mar 18 11:10:01 graylog CRON[14637]: pam_unix(cron:session): session closed for user root

I only want to keep date, time and the "session closed for user root" part.

This is what I tried, without results:

%{GREEDYDATA} pam_unix(cron:session):
%{GREEDYDATA} session closed for user root
%{MONTH} %{BASE10NUM} %{TIME} %{GREEDYDATA}graylog CRON[18698]: pam_unix(cron:session):

Maybe I am still using "greedydata" wrong(?), any help would be greatly appreciated!

Answer 1

You can use

%{MONTH:month} %{BASE10NUM:day} %{TIME:time} %{DATA}: pam_unix\(cron:session\):\s*%{GREEDYDATA:message}

Details :

• %{MONTH:month} - month name
• %{BASE10NUM:day} - one or more digits
• %{TIME:time} - time pattern
• %{DATA} - .*? lazy-dot regex pattern, matches any zero or more chars other than line break chars, as few as possible ( note that you may change it to %{DATA:cron} to get graylog CRON[14637] in the output)
• : pam_unix\(cron:session\): - a literal : pam_unix(cron:session): text
• \s* - zero or more whitespaces
• %{GREEDYDATA:message} - .* regex pattern matching the rest of the line.