Page 2 of 2
Re: Nagios Log Server - dissect logstash plugin
Posted: Fri Sep 01, 2017 9:44 am
by mcapra
You could try removing the newlines, since (?m) should make them redundant:
Code: Select all
if [SourceName] == "Schannel" {
grok {
match => { "message" => "(?m)An SSL %{WORD:HandshakeType} handshake.*Protocol: %{DATA:Protocol}.*CipherSuite: %{WORD:CipherSuite}.*Exchange strength: %{NUMBER:ExchangeStrength}" }
}
}
Re: Nagios Log Server - dissect logstash plugin
Posted: Fri Sep 01, 2017 9:50 am
by bpizzutiWHI
Yeah, that was it. Didn't like both.
Wow that grok thing is powerful...if you can ever figure it out.
Re: Nagios Log Server - dissect logstash plugin
Posted: Fri Sep 01, 2017 9:57 am
by mcapra
Grok is just regular expressions, and regular expressions in general are one of those things that are
total voodoo magic until you grind them out sufficiently
Re: Nagios Log Server - dissect logstash plugin
Posted: Fri Sep 01, 2017 9:57 am
by bpizzutiWHI
Spoke too soon again. Seem to have lost "Protocol" somewhere, comes back empty. Adding a newline after "handshake" causes the parse failures again.
Re: Nagios Log Server - dissect logstash plugin
Posted: Fri Sep 01, 2017 10:05 am
by bpizzutiWHI
mcapra wrote:Grok is just regular expressions, and regular expressions in general are one of those things that are
total voodoo magic until you grind them out sufficiently
Well, I'm still grinding. TUrns out this filter works better if Protocol is set for GREEDYWORD.
Re: Nagios Log Server - dissect logstash plugin
Posted: Fri Sep 01, 2017 3:20 pm
by cdienger
Sounds good : ) Let us know if anything comes up that we can help with.