0

I've been attempting to create some custom grok patterns for logstash. Most of them work fine, but one has got me stumped. The pattern is:

WINUSER (?<=User:\s)\w+

Here is a sample of the data that is being searched:

2015-04-14 14:06:18 exchange.ows1.osborneit.com INFO 1149 NT AUTHORITY\NETWORK SERVICE Remote Desktop Services: User authentication succeeded:

User: administrator
Domain: .
Source Network Address: 172.24.1.32

I have tested this on http://grokconstructor.appspot.com/do/match and it works correctly, but logstash seems to ignore it. I can't seem to figure out what I'm doing wrong.

Below is my logstash configuration:

input {
   udp {
      type => "eventlog"
      codec => json
      port => 5140
   tags => ['windows', 'eventlog']
   }
}
filter {
  if [type] == "eventlog" {
  grok {
    match => [
    "message", "%{IP:client}",
    "message", "%{WINUSER:username}"
    ]
  }
 }
}
output {
  elasticsearch { host => localhost }
  stdout { codec => json }
}

Update: It appears that the issue is not with the pattern, but with the order of the match. If I move the WINUSER match above the IP match, it works, but the IP match doesn't. Not sure why both don't match.

George Osborne
  • 1
  • 2

1 Answers1

0

It turns out the issue was with the filter section of the config file. I had to split the grok matches into multiple lines, like below.

filter {
  if [type] == "eventlog" {
  grok {
    match => [ "message", "%{IPV4:client}" ]
  }
  grok {
    match => [ "message", "%{WINUSER:username}" ]
  }
 }
}
George Osborne
  • 1
  • 2