This support forum board is for support questions relating to
Nagios Log Server , our solution for managing and monitoring critical log data.
mcapra
Posts: 3739 Joined: Thu May 05, 2016 3:54 pm
Post
by mcapra Fri Sep 01, 2017 9:44 am
You could try removing the newlines, since (?m) should make them redundant:
Code: Select all
if [SourceName] == "Schannel" {
grok {
match => { "message" => "(?m)An SSL %{WORD:HandshakeType} handshake.*Protocol: %{DATA:Protocol}.*CipherSuite: %{WORD:CipherSuite}.*Exchange strength: %{NUMBER:ExchangeStrength}" }
}
}
bpizzutiWHI
Posts: 64 Joined: Thu Mar 02, 2017 10:15 am
Post
by bpizzutiWHI Fri Sep 01, 2017 9:50 am
Yeah, that was it. Didn't like both.
mcapra
Posts: 3739 Joined: Thu May 05, 2016 3:54 pm
Post
by mcapra Fri Sep 01, 2017 9:57 am
Grok is just regular expressions, and regular expressions in general are one of those things that are
total voodoo magic until you grind them out sufficiently
bpizzutiWHI
Posts: 64 Joined: Thu Mar 02, 2017 10:15 am
Post
by bpizzutiWHI Fri Sep 01, 2017 9:57 am
Spoke too soon again. Seem to have lost "Protocol" somewhere, comes back empty. Adding a newline after "handshake" causes the parse failures again.
bpizzutiWHI
Posts: 64 Joined: Thu Mar 02, 2017 10:15 am
Post
by bpizzutiWHI Fri Sep 01, 2017 10:05 am
mcapra wrote: Grok is just regular expressions, and regular expressions in general are one of those things that are
total voodoo magic until you grind them out sufficiently
Well, I'm still grinding. TUrns out this filter works better if Protocol is set for GREEDYWORD.
cdienger
Support Tech
Posts: 5045 Joined: Tue Feb 07, 2017 11:26 am
Post
by cdienger Fri Sep 01, 2017 3:20 pm
Sounds good : ) Let us know if anything comes up that we can help with.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new
Privacy Policy .
