0

I have a log file like this. Its large so I only want to 'grep' for 'CRON'

Dec 28 22:30:01 user-desktop CRON[65168]: (root) CMD ([ -x /etc/init.d/anacron ] && if [ ! -d /run/systemd/system ]; then /usr/sbin/invoke-rc.d anacron start >/dev/null; fi)
Dec 28 22:33:36 user-desktop systemd[1]: Started Run anacron jobs.
Dec 28 22:33:36 user-desktop anacron[65194]: Anacron 2.3 started on 2022-12-28
Dec 28 22:33:36 user-desktop anacron[65194]: Normal exit (0 jobs run)
Dec 28 22:33:36 user-desktop systemd[1]: anacron.service: Deactivated successfully.
Dec 28 23:17:01 user-desktop CRON[65587]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly)

I would like to only capture where lines have "CRON" in it. I can map it fine with grok afterwards

%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{SYSLOGPROG:syslog_program}
NinjaGaiden
  • 3,046
  • 6
  • 28
  • 49

1 Answers1

0

Does this work:

%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} CRON\[%{NUMBER:VehicleID}\]: %{GREEDYDATA:syslog_program}
M4NI5H
  • 27
  • 1
  • 7