Re: multiple pattern grok parser in 1 file

Mon, 23 Oct 2017 00:54:04 -0700 

FYI,
i've trying to using Grok parser metron with multiple pattern in single file but it doesn't work. this is my sample grok pattern on /apps/metron/patterns/authlog : 


AUTHLOG %{NUMBER:timestamp} %{SYSLOGHOST:syslog_host} 
%{DATA:syslog_program}(?:\[%{POSINT}\])?: %{WORD:login} password for 
%{USERNAME:username} from %{IP:ip} %{GREEDYDATA}
AUTHLOG %{NUMBER:timestamp} %{SYSLOGHOST:syslog_host} 
%{DATA:syslog_program}(?:\[%{POSINT}\])?: %{WORD:login} closed for user 
%{USERNAME:username}



When the sensor started, the second grok pattern doesn't work. Only 
first pattern works.

There is an error message like this on storm logs:

Caused by: java.lang.RuntimeException: Grok statement produced a null message.



On 23/10/17 10:49, tkg_cangkul wrote:

Hi Wasim,

thx for your reply.
So it means i should use logstash parser for metron?
Is there any documentation about use logstash parser for metron?
I didn't found any documentation about that on metron.

i just find logstash basic parser but there is no documentation about 
that.




On 23/10/17 10:33, Wasim Halani wrote:

Hi Youzha,


It should be possible to add multiple patterns in a single config 
file. For reference, you can check out the use of multiple patterns 
in a repo I maintain [1].

You would find the patterns in [2] useful for your use-case.


However, do note that there is a cost to every grok failure [3] - so 
you need to ensure that your most common event patterns are at the 
top of the list.



As a side-note, if you have any logstash parsers which are not 
available in the repo, please feel to submit a PR to [4]




[1] 
https://bitbucket.org/networkintelligence/logstash-configs/raw/aae3d61bb6c53beb0678536e2e9b33d7996e2960/cisco-asa.conf
[2] 
https://bitbucket.org/networkintelligence/logstash-configs/raw/aae3d61bb6c53beb0678536e2e9b33d7996e2960/linux-system.conf

[3] https://www.elastic.co/blog/do-you-grok-grok
[4] https://bitbucket.org/networkintelligence/logstash-configs/

Regards,
---
Wasim Halani
http://twitter.com/washalsec
http://securitythoughts.wordpress.com
----------

To keep silent when you can say something wise and useful is as bad 
as keeping on propagating foolish and unwise thoughts. -- Imam Ali 
(p.b.u.h.)



On Mon, Oct 23, 2017 at 8:08 AM, Youzha <[email protected] 
<mailto:[email protected]>> wrote:


    Hi, is that possible to using multiple pattern grok parser ini 1
    pattern file?
    i’m trying to parsing authlog file in /var/log/secure into
    metron. the problem is there are different structures of logs
    inside /var/log/secure. any suggest for this pls?


    Best Regards,




























					Reply via email to