Logstash - grok configuration filter

Question

I am trying to filter the output of the "last" command using grok.

The grok pattern is only matching the first variable "user" . It is not matching any pattern after it.

Can you please let me know what i am missing here.

Log:

sam     pts/0        172.19.16.3     Tue Mar  3 11:32 - 11:39  (00:07)

Grok pattern used :

match => [ "message", "%{USER:user} %{TTY:terminal}  %{IPORHOST:client} %{TIMESTAMP_ISO8601:date} %{NUMBER:duration}" ]

Answer 1

Several issues with your pattern:

1. List item

you have to take care of the Whitespace

if you have data like:

username    foobar

the pattern:

%{USER:user} %{WORD}

will not match because you have several white spaces between the two words. If you do:

%{USER:user} +%{WORD}

the pattern will match because you tell grok to look for more than one space between the two words. Try to check your pattern with http://grokdebug.herokuapp.com/ one step at a time. First try to work out the GROK patterns for the individual parts and if they work try to put them together one by one.

2. The pattern tty does not match pts/0 but expects something like /dev/pts/0

Take a look at the pattern definition. They can be found under: https://github.com/logstash-plugins/logstash-patterns-core/tree/master/patterns

The TTY pattern in particular is in: https://github.com/logstash-plugins/logstash-patterns-core/blob/master/patterns/grok-patterns