Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

Filter for multiple log formats in syslog

https://support.nagios.com/forum/viewtopic.php?t=61405

Page 1 of 1

Filter for multiple log formats in syslog

Posted: Fri Jan 22, 2021 6:47 am
by billy_strath
I've got 2 different log formats coming in over syslog, from the same host and want to set the type field based on the format of the line. I know you can have multiple pattern matches in grok (for example at the end of this page https://coralogix.com/log-analytics-blo ... -examples/) but i want to set a field based on the match.
So for example
if pattern one
'type" = "log 1"
if patter two
'type' = 'log 2'

what's the best way to do that?

my current filter (which was for just one type of log) is

if [type] == 'syslog' {
if [host] == '192.168.10.10' {
grok {
match => [ 'message', "%{TIMESTAMP_ISO8601:timestamp} %{IP:ipaddress} %{USERNAME:action}: %{WORD:username} %{USERNAME:WorkstationName} %{WORD:location}" ]
}
mutate { replace => [ 'type', 'log1']}
mutate { replace => [ 'host', "%{ipaddress}"]}
}
}


thanks

Re: Filter for multiple log formats in syslog

Posted: Fri Jan 22, 2021 6:25 pm
by benjaminsmith
Hi Billy,

Good question! I'm going to do a little research on the best approach on this one and follow up with you. Thanks for your patience.

Best Regards,
Benjamin

Re: Filter for multiple log formats in syslog

Posted: Mon Jan 25, 2021 4:59 am
by billy_strath
i found out at that although each syslog line was different (and from the same host) they always started with timedate and then IP address. This IP address seemed to be a key to the log format - so I've done a partial match and then use an IF around the IP to do a further match and any mutations

Still need to put my other transforms in but does what i need, although maybe not the most elegant

if [type] == 'syslog' {
if [host] == '192.168.1.10 {
grok {
match => [ 'message', "%{TIMESTAMP_ISO8601:timestamp} %{IP:ipaddress}" ]
}
if [ipaddress] == "192.168.1.1" {
mutate { replace => { type => "type1" } }
} else if [ipaddress] == "192.168.1.2" {
mutate { replace => { type => "type2" } }
} else {
mutate { replace => { type => "type3" } }
mutate { remove_field => [ "ipaddress" ] }
grok {
match => [ 'message', "%{TIMESTAMP_ISO8601:timestamp} %{IP:ipaddress} %{USERNAME:action}: %{WORD:username} %{USERNAME:WorkstationName} %{WORD:location}" ]
}
mutate { replace => [ 'host', "%{ipaddress}"]}
}
}
}

Re: Filter for multiple log formats in syslog

Posted: Mon Jan 25, 2021 11:14 am
by cdienger
Glad to hear you found something that works. Let us know if you run into any further issues while testing.
All times are UTC-05:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited