Elastic Grok Pattern Netscaler example?

Question

I am lost ! I have an example netscaler log and I want to use Grok Pattern in elastic.

Example Log:

Dec 18 20:37:08 <local0.info> 10.217.31.247 CEF:0|Citrix|NetScaler|NS10.0|APPFW|APPFW_STARTURL|6|src=10.217.253.78 spt=53743 method=GET request=http://vpx247.example.net/FFC/login.html msg=Disallow Illegal URL. cn1=233 cn2=205 cs1=profile1 cs2=PPE0 cs3=AjSZM26h2M+xL809pON6C8joebUA000 cs4=ALERT cs5=2012 act=blocked

I dont know the pattern for <local0.info> The timestamp is: %{SYSLOGTIMESTAMP:timestamp}, thats easy, but what about the next one and the other strings ?

I really hope someone can help me out :S

score 0 · Answer 1 · answered Feb 22 '22 at 09:41

You can use Grok Debugger to debug the grok patterns. Below is the GROK pattern for your example log:

%{SYSLOGTIMESTAMP:timestamp} \<%{DATA:data}\.%{LOGLEVEL:loglevel}\> %{IP:ip} %{DATA:data}\|src\=%{IP:source_ip} %{GREEDYDATA:payload}

Let's split the field payload using KV Filter of the logstash.

kv {
           source => "payload"
           value_split => "="
           field_split => " "
           target => "msg"
         }

Elastic Grok Pattern Netscaler example?

1 Answers1