Page 1 of 1
why _grokparsefailure?
Posted: Thu Aug 04, 2016 4:43 am
by comfone
Hi All
We are using 2 Nagios Log Server Instances Version 1.4.0 (VM appliance)
Hi have the attached Filters configured and active and they seam to work.
Why do I still get "_grokparsefailure"?
Thank you for your help.
Re: why _grokparsefailure?
Posted: Thu Aug 04, 2016 9:29 am
by hsmith
Can I see a screenshot of your full list of filters? It could be that another one is trying to be applied to this. I believe it works from top-down, so if the type is 'syslog' before you change it using the mutate, any 'syslog' filters would apply to it. Does this make sense?
Re: why _grokparsefailure?
Posted: Fri Aug 05, 2016 2:39 am
by comfone
#
# Logstash Configuration File
# Dynamically created by Nagios Log Server
#
# DO NOT EDIT THIS FILE. IT WILL BE OVERWRITTEN.
#
# Created Fri, 05 Aug 2016 09:38:36 +0200
#
#
# Global filters
#
filter {
if [type] == 'apache_access_log' {
grok {
match => [ 'message', '<\d+>.+\s\d+\s\d+:\d+:\d+\s%{HOSTNAME:logsource} %{COMMONAPACHELOG}']
}
geoip {
source => 'clientip'
}
date {
match => [ 'timestamp', 'dd/MMM/yyyy:HH:mm:ss Z' ]
}
mutate {
replace => [ 'type', 'apache_access' ]
convert => [ 'bytes', 'integer' ]
convert => [ 'response', 'integer' ]
}
}
if [type] == 'apache_error_log' {
grok {
match => [ 'message', '<\d+>.+\s\d+\s\d+:\d+:\d+\s%{HOSTNAME:logsource} \[(?<timestamp>%{DAY:day} %{MONTH:month} %{MONTHDAY} %{TIME} %{YEAR})\] \[.*:%{LOGLEVEL:loglevel}\] \[pid %{NUMBER:pid}\] \[client %{IP:clientip}:.*\] %{GREEDYDATA:errormsg}']
}
mutate {
replace => [ 'type', 'apache_error' ]
}
}
if [Category] == 'Windows Update Agent' and [EventID] == 26 {
grok {
match => [ 'message', '%{NUMBER:count}']
}
mutate {
add_field => ['CountWinUpdate','%{count}']
}
}
if [type] == "syslog" {
grok {
match => [ "message", "%{SYSLOGLINE}" ]
}
}
if [program] == 'OracleAlertLog' {
mutate {replace => [ 'type', 'OracleAlertLog' ]}
}
if [type] == 'IIS_CAS_requests' {
grok {
match => ['cs-uri-query', '(?:User=%{USER:as-USER}&)*(?:DeviceType=%{NOTSPACE:as-DEV}&)*(?:Cmd=%{WORD:as-CMD}&)?(?:%{DATA})?&%{GREEDYDATA:uri-as-remainder}']
}
date {
match => ["timestamp", "yyyy-MM-dd HH:mm:ss"]
}
geoip {
source => "c-ip"
}
}
if [program] == 'SMOLog' {
mutate {replace => [ 'type', 'SMOLog' ]}
}
if [program] == 'SSG-ETDRS' {
mutate {replace => [ 'type', 'SSG-ETDRS' ]}
grok {
match => { 'message' => [ '\A%{WORD:Loader}-%{WORD:AlarmType}-%{WORD:Data}%{SPACE}%{TIMESTAMP_ISO8601:TimeStamp}%{SPACE}%{QUOTEDSTRING:Info}' ] }
}
}
if [program] == 'SSG-STATISTICS' {
mutate {replace => [ 'type', 'SSG-STATISTICS' ]}
grok {
match => { 'message' => [ '\A%{WORD:Loader}-%{WORD:AlarmType}-%{WORD:Data}%{SPACE}%{TIMESTAMP_ISO8601:TimeStamp}%{SPACE}%{QUOTEDSTRING:Info}' ] }
}
}
}
#
# Local filters
#
Re: why _grokparsefailure?
Posted: Fri Aug 05, 2016 9:18 am
by hsmith
My assumption is it is coming in as a syslog, if that is the case, this one could be causing it:
Code: Select all
if [type] == "syslog" {
grok {
match => [ "message", "%{SYSLOGLINE}" ]
Can you temporarily disable this as a test and see what happens?
Re: why _grokparsefailure?
Posted: Wed Aug 10, 2016 6:20 am
by comfone
You were right.
I have disabled the filter and the problem is solved
thank you.