regex - logstash grok filter pattern not found -
i've been attempting create custom grok patterns logstash. of them work fine, 1 has got me stumped. pattern is:
winuser (?<=user:\s)\w+
here sample of data being searched:
2015-04-14 14:06:18 exchange.ows1.osborneit.com info 1149 nt authority\network service remote desktop services: user authentication succeeded: user: administrator domain: . source network address: 172.24.1.32
i have tested on http://grokconstructor.appspot.com/do/match , works correctly, logstash seems ignore it. can't seem figure out i'm doing wrong.
below logstash configuration:
input { udp { type => "eventlog" codec => json port => 5140 tags => ['windows', 'eventlog'] } } filter { if [type] == "eventlog" { grok { match => [ "message", "%{ip:client}", "message", "%{winuser:username}" ] } } } output { elasticsearch { host => localhost } stdout { codec => json } }
update: appears issue not pattern, order of match. if move winuser match above ip match, works, ip match doesn't. not sure why both don't match.
it turns out issue filter section of config file. had split grok matches multiple lines, below.
filter { if [type] == "eventlog" { grok { match => [ "message", "%{ipv4:client}" ] } grok { match => [ "message", "%{winuser:username}" ] } } }
Comments
Post a Comment