Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

Logtash Grok Pattern

https://support.nagios.com/forum/viewtopic.php?t=48274

Page 1 of 1

Logtash Grok Pattern

Posted: Wed Apr 18, 2018 2:58 pm
by HASupport
Hi Nik, Hope you are doing great
I need to put some grok pattern for the following, can you support to achieve please
this is only for the highlighted portion message

<134>GLH-SSO-c5508a: *haSSOServiceTask3: Apr 19 07:24:16.217: %APF_HA-6-CLIENT_TEMP_DB_FIND_ERR: [SS]apf_ha_api.c:258 Unable to find Mobile 4c:66:41:8a:05:f3 entry in the temporary Client database used for APF HA

Re: Logtash Grok Pattern

Posted: Wed Apr 18, 2018 3:49 pm
by npolovenko
Hello again, @HASupport! There you go:

Code: Select all

^%{SYSLOG5424PRI:priorty}%{DATA:host}: %{DATA}: %{MONTH:month} %{POSINT:day} %{TIME:time}: %{GREEDYDATA:message}

Re: Logtash Grok Pattern

Posted: Wed Apr 18, 2018 4:02 pm
by HASupport
<134>GLH-SSO-c5508a: *haSSOServiceTask3: Apr 19 07:24:16.217: %APF_HA-6-CLIENT_TEMP_DB_FIND_ERR: [SS]apf_ha_api.c:258 Unable to find Mobile 4c:66:41:8a:05:f3 entry in the temporary Client database used for APF HA

^%{SYSLOG5424PRI:priorty}%{DATA:host}: %{DATA}: %{MONTH:month} %{POSINT:day} %{TIME:time}: %{GREEDYDATA:message}

Hi there

The above represents is already I have posted,
What I need is to %{GREEDYDATA:message} pattern ? more readable
for example Mobile 4c:66:41:8a:05:f3 need to more readable format?

Re: Logtash Grok Pattern

Posted: Thu Apr 19, 2018 2:59 pm
by npolovenko
@HASupport, You could try this syntax to separate the MAC address.

Code: Select all

^%{SYSLOG5424PRI:priorty}%{DATA:host}: %{DATA}: %{MONTH:month} %{POSINT:day} %{TIME:time}: %{GREEDYDATA:message} %{MAC:mac_address}?
All times are UTC-05:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited