How to skip the beginning of a message with Grok Patterns?

Question

I am trying to extract only the last part of a Linux log using Grok Patterns in Graylog, but it's harder than I tought.

Here's the message that I receive:

Mar 18 11:10:01 graylog CRON[14637]: pam_unix(cron:session): session closed for user root

I only want to keep date, time and the "session closed for user root" part.

This is what I tried, without results:

%{GREEDYDATA} pam_unix(cron:session):
%{GREEDYDATA} session closed for user root
%{MONTH} %{BASE10NUM} %{TIME} %{GREEDYDATA}graylog CRON[18698]: pam_unix(cron:session):

Maybe I am still using "greedydata" wrong(?), any help would be greatly appreciated!

score 1 · Accepted Answer · answered Mar 19 '21 at 11:45

You can use

%{MONTH:month} %{BASE10NUM:day} %{TIME:time} %{DATA}: pam_unix\(cron:session\):\s*%{GREEDYDATA:message}

Details:

%{MONTH:month} - month name
%{BASE10NUM:day} - one or more digits
%{TIME:time} - time pattern
%{DATA} - .*? lazy-dot regex pattern, matches any zero or more chars other than line break chars, as few as possible (note that you may change it to %{DATA:cron} to get graylog CRON[14637] in the output)
: pam_unix\(cron:session\): - a literal : pam_unix(cron:session): text
\s* - zero or more whitespaces
%{GREEDYDATA:message} - .* regex pattern matching the rest of the line.

How to skip the beginning of a message with Grok Patterns?

1 Answers1