Troubles with parsing the log

[dlukinski]

Hello LOG support

I am trying to parse this log:

Code: Select all

<14>Aug 17 11:05:21 KC-FI-MGR.konecranes.com 1,2020/08/17 11:05:21,001701001987,SYSTEM,globalprotect,0,2020/08/17 11:05:01,,globalprotectgateway-config-release,GP gateway-N,0,0,general,informational,"GlobalProtect gateway client configuration released. User name: XXXX, Private IP: 10.XX.XX.X, Client version: 5.1.5-20, Device name: CNU406CM1R, Client OS version: Microsoft Windows 10 Enterprise , 64-bit, VPN type: Device Level VPN.",383324,0x8000000000000000,0,0,0,0,,KC-FI-FW2

With the following filter:

Code: Select all

if [type] == "PALOALTOlog" {
grok {
        match => { "message" => "%{DATE:date} %{TIME:time} - %{DATA:mtype} - \[%{IP:ip}\] %{WORD:username}%{GREEDYDATA:authstring} - %{GREEDYDATA:message}"}
overwrite => [ "message" ]
     }
}

but no luck

[cdienger]

If you haven't already, I'd highly suggest taking a look at https://assets.nagios.com/downloads/nag ... ilters.pdf which covers custom filters.

How does this event look in the dashboard section of NLS exactly?

What kind of input is this coming in on?

It's not clear to me exactly which pieces of information are you are trying to pull out. Please highlight exactly what you'd like to pull from:

Code: Select all

<14>Aug 17 11:05:21 KC-FI-MGR.konecranes.com 1,2020/08/17 11:05:21,001701001987,SYSTEM,globalprotect,0,2020/08/17 11:05:01,,globalprotectgateway-config-release,GP gateway-N,0,0,general,informational,"GlobalProtect gateway client configuration released. User name: XXXX, Private IP: 10.XX.XX.X, Client version: 5.1.5-20, Device name: CNU406CM1R, Client OS version: Microsoft Windows 10 Enterprise , 64-bit, VPN type: Device Level VPN.",383324,0x8000000000000000,0,0,0,0,,KC-FI-FW2

[dlukinski]

If you haven't already, I'd highly suggest taking a look at https://assets.nagios.com/downloads/nag ... ilters.pdf which covers custom filters.

How does this event look in the dashboard section of NLS exactly?

What kind of input is this coming in on?

It's not clear to me exactly which pieces of information are you are trying to pull out. Please highlight exactly what you'd like to pull from:

Code: Select all

<14>Aug 17 11:05:21 KC-FI-MGR.konecranes.com 1,2020/08/17 11:05:21,001701001987,SYSTEM,globalprotect,0,2020/08/17 11:05:01,,globalprotectgateway-config-release,GP gateway-N,0,0,general,informational,"GlobalProtect gateway client configuration released. User name: XXXX, Private IP: 10.XX.XX.X, Client version: 5.1.5-20, Device name: CNU406CM1R, Client OS version: Microsoft Windows 10 Enterprise , 64-bit, VPN type: Device Level VPN.",383324,0x8000000000000000,0,0,0,0,,KC-FI-FW2

Thank you for responding,

I've attached the screenshot from Nagios Log (this message = LOG message body)

We are trying to parse the following:
Received Time/Date - 2020/08/17 11:05:21
Log Time/Date - 2020/08/17 11:05:01
Message - GlobalProtect gateway client configuration released OR GlobalProtect gateway user logout succeeded OR GlobalProtect gateway user authentication failed
UserName
Host - KC-FI-FW2
-------------------
what is best GROK discovery/pattern tool for Nagios Log?

[jdunitz]

We often use
https://grokdebug.herokuapp.com/

When I tried it on your data, it wouldn't autodiscover it, however. It might take some tweaking.

This was discussed on Reddit a while back; you may find it helpful: https://www.reddit.com/r/paloaltonetwor ... ost_there/

--Jeffrey