I have a small POC working for Logstash consuming a Number of Windows Events and flat log files via RSyslog, so far so good thanks to the excellent documentation availible for Logstash/Grok!
In my efforts to document and one day blog this experience i've encountered a nasty log entry that I cannot seem to get past -- even the excellent online GrokDebugger cannot identify these nasty quoted strings.
Here is a sample line from the log file where pieces are only being identified as a %{QS} quoted string.
<![LOG[Persisting request for program SU Scan for Updates package XXXXXXXX in state Running]LOG]!><time="14:21:46.455+480" date="08-09-2010" component="execmgr" context="" type="1" thread="3328" file="executionrequest.cpp:800">
GrokDegugger recognizes this as:
<!%{SYSLOG5424SD}LOG]!><time=%{QS} date=%{QS} component=%{QS} context="" type="1" thread="3328" file="%{JAVACLASS}:800">
Ideally I would like to extract events out like this:
- @message = "Persisting request for program SU Scan for Updates package XXXXXXXX in state Running"
- @timestamp = 14:21:46.455+480
- @date = 02-16-2010
- @component = execmgr
- @thread = 3328
Has anyone else in the community been successful in parsing/extracting events from System Center logs?
Thanks in advance!
