Grok parse failure when trying to create fileld from syslog
Posted: Thu Jan 14, 2016 7:18 pm
I have the following message where I am trying to parse out the first word and put it in a field called netid.
Here is my filter. There is a space in front of the user but the grok debugger still worked. I have another filter that does the same thing , but with more fields, that you guys helped me put together.
Can you tell me why this would be producing a grokparsefailure? I have tripled checked the field name. I tested the grok filter on the grok debugger website and it works there fine. Could the syslog pattern that is processing this event be causing this to happen?
Filter:
Here is the other filter for my Asset mgmt application. I did not use the " overwrite => [ "message" ]" part of the filter as I do not want to overwrite what is there. The goal is to have on the dashboard a window that lets them know what users are using sudo in certain ways and give a event count per user. Thus the creation of the netid field I am trying to accomplish.
Here is the AssetCore filter that I created the above off of.
Code: Select all
user : TTY=pts/0 ; PWD=/home/cxxx ; USER=root ; COMMAND=/usr/bin/crontab -lCan you tell me why this would be producing a grokparsefailure? I have tripled checked the field name. I tested the grok filter on the grok debugger website and it works there fine. Could the syslog pattern that is processing this event be causing this to happen?
Filter:
Code: Select all
if [program] == 'sudo' {
grok {
match => [ 'message', '{%WORD:netid} %{GREEDYDATA:message}' ]
}
}Here is the AssetCore filter that I created the above off of.
Code: Select all
if [program] == 'AssetCore' {
grok {
match => [ 'message', '%{DATESTAMP:timestamp} %{WORD:sub_process} *%{WORD:error_code} %{GREEDYDATA:message}' ]
overwrite => [ "message" ]
}
}