I've got 2 different log formats coming in over syslog, from the same host and want to set the type field based on the format of the line. I know you can have multiple pattern matches in grok (for example at the end of this page https://coralogix.com/log-analytics-blo ... -examples/) but i want to set a field based on the match.
So for example
if pattern one
'type" = "log 1"
if patter two
'type' = 'log 2'
what's the best way to do that?
my current filter (which was for just one type of log) is
if [type] == 'syslog' {
if [host] == '192.168.10.10' {
grok {
match => [ 'message', "%{TIMESTAMP_ISO8601:timestamp} %{IP:ipaddress} %{USERNAME:action}: %{WORD:username} %{USERNAME:WorkstationName} %{WORD:location}" ]
}
mutate { replace => [ 'type', 'log1']}
mutate { replace => [ 'host', "%{ipaddress}"]}
}
}
thanks
Filter for multiple log formats in syslog
-
billy_strath
- Posts: 19
- Joined: Wed Nov 22, 2017 5:07 am
-
benjaminsmith
- Posts: 5324
- Joined: Wed Aug 22, 2018 4:39 pm
- Location: saint paul
Re: Filter for multiple log formats in syslog
Hi Billy,
Good question! I'm going to do a little research on the best approach on this one and follow up with you. Thanks for your patience.
Best Regards,
Benjamin
Good question! I'm going to do a little research on the best approach on this one and follow up with you. Thanks for your patience.
Best Regards,
Benjamin
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Be sure to check out our Knowledgebase for helpful articles and solutions!
Be sure to check out our Knowledgebase for helpful articles and solutions!
-
billy_strath
- Posts: 19
- Joined: Wed Nov 22, 2017 5:07 am
Re: Filter for multiple log formats in syslog
i found out at that although each syslog line was different (and from the same host) they always started with timedate and then IP address. This IP address seemed to be a key to the log format - so I've done a partial match and then use an IF around the IP to do a further match and any mutations
Still need to put my other transforms in but does what i need, although maybe not the most elegant
if [type] == 'syslog' {
if [host] == '192.168.1.10 {
grok {
match => [ 'message', "%{TIMESTAMP_ISO8601:timestamp} %{IP:ipaddress}" ]
}
if [ipaddress] == "192.168.1.1" {
mutate { replace => { type => "type1" } }
} else if [ipaddress] == "192.168.1.2" {
mutate { replace => { type => "type2" } }
} else {
mutate { replace => { type => "type3" } }
mutate { remove_field => [ "ipaddress" ] }
grok {
match => [ 'message', "%{TIMESTAMP_ISO8601:timestamp} %{IP:ipaddress} %{USERNAME:action}: %{WORD:username} %{USERNAME:WorkstationName} %{WORD:location}" ]
}
mutate { replace => [ 'host', "%{ipaddress}"]}
}
}
}
Still need to put my other transforms in but does what i need, although maybe not the most elegant
if [type] == 'syslog' {
if [host] == '192.168.1.10 {
grok {
match => [ 'message', "%{TIMESTAMP_ISO8601:timestamp} %{IP:ipaddress}" ]
}
if [ipaddress] == "192.168.1.1" {
mutate { replace => { type => "type1" } }
} else if [ipaddress] == "192.168.1.2" {
mutate { replace => { type => "type2" } }
} else {
mutate { replace => { type => "type3" } }
mutate { remove_field => [ "ipaddress" ] }
grok {
match => [ 'message', "%{TIMESTAMP_ISO8601:timestamp} %{IP:ipaddress} %{USERNAME:action}: %{WORD:username} %{USERNAME:WorkstationName} %{WORD:location}" ]
}
mutate { replace => [ 'host', "%{ipaddress}"]}
}
}
}
Re: Filter for multiple log formats in syslog
Glad to hear you found something that works. Let us know if you run into any further issues while testing.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.