Grok Pattern for WSO2 Audit Log file

Question

This is a example from WSO2 Audit log file

[2016-11-22 00:20:30,657]  INFO -  Initiator : wso2.system.user | Action : 
Change Password by User | Target : admin | Data : {  } | Result : Success

I am trying to write a Grok pattern using frok debugger, but all I am getting is No Matches.

\[%{TIMESTAMP_ISO8601:timestamp}\]%{SPACE}%{LOGLEVEL:level}-%{SPACE}%
{GREEDYDATA:log_message}

score 0 · Accepted Answer · answered Nov 24 '16 at 08:37

0

The pattern is missing a space between %{LOGLEVEL:level} and the following dash (-).
It would look like this : ...%{LOGLEVEL:level}%{SPACE}-%{SPACE}... or ...%{LOGLEVEL:level} -%{SPACE}... (you don't have to use %{SPACE} if you are sure the number of spaces will always be the same).

answered Nov 24 '16 at 08:37

baudsp

4,076
1
17
35

Thanks mate. It helped! – sriramsm04 Nov 24 '16 at 09:16
@sriramsm04 you're welcome. A few resources to help you next time: [grok filter tester](http://grokconstructor.appspot.com/do/match#result), [grok filter documentation](https://www.elastic.co/guide/en/logstash/current/plugins-filters-grok.html) and [base grok patterns](https://github.com/logstash-plugins/logstash-patterns-core/blob/master/patterns/grok-patterns). – baudsp Nov 24 '16 at 09:46

Grok Pattern for WSO2 Audit Log file

1 Answers1