Page 1 of 1
Troubles with parsing the log
Posted: Mon Aug 17, 2020 12:11 pm
by dlukinski
Hello LOG support
I am trying to parse this log:
Code: Select all
<14>Aug 17 11:05:21 KC-FI-MGR.konecranes.com 1,2020/08/17 11:05:21,001701001987,SYSTEM,globalprotect,0,2020/08/17 11:05:01,,globalprotectgateway-config-release,GP gateway-N,0,0,general,informational,"GlobalProtect gateway client configuration released. User name: XXXX, Private IP: 10.XX.XX.X, Client version: 5.1.5-20, Device name: CNU406CM1R, Client OS version: Microsoft Windows 10 Enterprise , 64-bit, VPN type: Device Level VPN.",383324,0x8000000000000000,0,0,0,0,,KC-FI-FW2
With the following filter:
Code: Select all
if [type] == "PALOALTOlog" {
grok {
match => { "message" => "%{DATE:date} %{TIME:time} - %{DATA:mtype} - \[%{IP:ip}\] %{WORD:username}%{GREEDYDATA:authstring} - %{GREEDYDATA:message}"}
overwrite => [ "message" ]
}
}
but no luck
Re: Troubles with parsing the log
Posted: Tue Aug 18, 2020 10:28 am
by cdienger
If you haven't already, I'd highly suggest taking a look at
https://assets.nagios.com/downloads/nag ... ilters.pdf which covers custom filters.
How does this event look in the dashboard section of NLS exactly?
What kind of input is this coming in on?
It's not clear to me exactly which pieces of information are you are trying to pull out. Please highlight exactly what you'd like to pull from:
Code: Select all
<14>Aug 17 11:05:21 KC-FI-MGR.konecranes.com 1,2020/08/17 11:05:21,001701001987,SYSTEM,globalprotect,0,2020/08/17 11:05:01,,globalprotectgateway-config-release,GP gateway-N,0,0,general,informational,"GlobalProtect gateway client configuration released. User name: XXXX, Private IP: 10.XX.XX.X, Client version: 5.1.5-20, Device name: CNU406CM1R, Client OS version: Microsoft Windows 10 Enterprise , 64-bit, VPN type: Device Level VPN.",383324,0x8000000000000000,0,0,0,0,,KC-FI-FW2
Re: Troubles with parsing the log
Posted: Wed Aug 19, 2020 1:16 pm
by dlukinski
cdienger wrote:If you haven't already, I'd highly suggest taking a look at
https://assets.nagios.com/downloads/nag ... ilters.pdf which covers custom filters.
How does this event look in the dashboard section of NLS exactly?
What kind of input is this coming in on?
It's not clear to me exactly which pieces of information are you are trying to pull out. Please highlight exactly what you'd like to pull from:
Code: Select all
<14>Aug 17 11:05:21 KC-FI-MGR.konecranes.com 1,2020/08/17 11:05:21,001701001987,SYSTEM,globalprotect,0,2020/08/17 11:05:01,,globalprotectgateway-config-release,GP gateway-N,0,0,general,informational,"GlobalProtect gateway client configuration released. User name: XXXX, Private IP: 10.XX.XX.X, Client version: 5.1.5-20, Device name: CNU406CM1R, Client OS version: Microsoft Windows 10 Enterprise , 64-bit, VPN type: Device Level VPN.",383324,0x8000000000000000,0,0,0,0,,KC-FI-FW2
Thank you for responding,
I've attached the screenshot from Nagios Log (this message = LOG message body)
We are trying to parse the following:
Received Time/Date - 2020/08/17 11:05:21
Log Time/Date - 2020/08/17 11:05:01
Message - GlobalProtect gateway client configuration released OR GlobalProtect gateway user logout succeeded OR GlobalProtect gateway user authentication failed
UserName
Host - KC-FI-FW2
-------------------
what is best GROK discovery/pattern tool for Nagios Log?
Re: Troubles with parsing the log
Posted: Thu Aug 20, 2020 3:13 pm
by jdunitz
We often use
https://grokdebug.herokuapp.com/
When I tried it on your data, it wouldn't autodiscover it, however. It might take some tweaking.
This was discussed on Reddit a while back; you may find it helpful:
https://www.reddit.com/r/paloaltonetwor ... ost_there/
--Jeffrey