This community is currently in a read-only state due to a maintenance window. For more info click here

How to interpret log line with GROK pattern

MVP
MVP
Requirement:

GROK pattern can be tested from log source card with a sample log line.



Solution:

The received log line from Cisco VPN in the below example should be matched with a valid GROK pattern for parsing:

Log line: cp-aruba.com 2018-03-15T13:34:08-08:00 Mar 15 13:34:08 cp-aruba.com %ASA-5-722033[0]: Group <Aruba-GROUP> User <aruba> IP <50.1.2.3> AnyConnect parent session started

 

GROK pattern that needs to be added to match the above log line: 

{

        "pattern": "%{IPORHOST:source} %{TIMESTAMP_ISO8601:sourcetime} %{GREEDYDATA} Group \\<%{GREEDYDATA:group}\\> User \\<%{GREEDYDATA:user}\\> IP \\<%{IP:remoteip}\\> AnyConnect parent session %{WORD:status}"

    }

 

Note in the above, we have modified the existing GROK pattern to match the log line format being received. In this case, we removed period following %{WORD:status} in the default GROK.

The above GROK pattern will help in parsing the last part of string "Anyconnect parent session started" which does not end with period(.). Added the above GROK pattern and tested the log line/raw message, we see that it matched the GROK pattern:

 



Configuration:

Navigate to Menu->Configuration->Log Sources:

 

From the log source configuration,lets take the example of log source: CISCO ANYCONNECT VPN. Click on "Modify Parser" from Actions drop down available on the log source card:

On clicking GROK, you will see the available GROK patterns for CISCO ANYCONNECT VPN. Pasting the available GROK patterns for Cisco VPN:

[

    {

        "pattern": "%{IPORHOST:source} %{TIMESTAMP_ISO8601:sourcetime} %{GREEDYDATA} Group \\<%{GREEDYDATA:group}\\> User \\<%{GREEDYDATA:user}\\> IP \\<%{IP:remoteip}\\> WebVPN session %{WORD:status}"

    },

    {

        "pattern": "%{IPORHOST:source} %{TIMESTAMP_ISO8601:sourcetime} %{GREEDYDATA} Group \\<%{GREEDYDATA:group}\\> User \\<%{GREEDYDATA:user}\\> IP \\<%{IP:remoteip}\\> AnyConnect parent session %{WORD:status}."

    },

    {

        "pattern": "%{IPORHOST:source} %{TIMESTAMP_ISO8601:sourcetime} %{GREEDYDATA} Group \\= %{DATA:group}, Username \\= %{GREEDYDATA:user}, IP \\= %{IP:remoteip}, Session\\s%{WORD:status}. Session Type: %{GREEDYDATA:sessiontype}, Duration: %{DATA:duration}, Bytes xmt: %{NUMBER:sent}, Bytes rcv: %{NUMBER:rcvd}, Reason: %{GREEDYDATA:reason}"

    },

    {

        "pattern": "%{IPORHOST:source} %{TIMESTAMP_ISO8601:sourcetime} %{GREEDYDATA} Group \\<%{GREEDYDATA:group}\\> User \\<%{GREEDYDATA:user}\\> IP \\<%{IP:remoteip}\\> Authentication: %{WORD:status}, Session Type: %{GREEDYDATA:sessiontype}"

    }

]

 

Once the events/raw messages are received in Introspect, the raw message will have to satisfy one of the above GROK patterns to check if messages can be successfully parsed. The same can be tested by pasting the log line/raw message in Sample log line section. Let's test the same with below log line:

 

cp-aruba.com 2018-03-15T13:34:08-08:00 Mar 15 13:34:08 cp-aruba.com %ASA-5-722033[0]: Group <Aruba-GROUP> User <aruba> IP <50.1.2.3> AnyConnect parent session started

 

 



Verification

From the above, we notice that it failed to match the GROK pattern. Below log line can be interpreted with GROK pattern as below:

 

 

cp-aruba.comIPORHOST:source

2018-03-15T13:34:08-08:00 Mar 15 13:34:08TIMESTAMP_ISO8601:sourcetime

 Group <Aruba-GROUP>GREEDYDATA:group

 User <aruba>GREEDYDATA:user

 IP <50.1.2.3>IP:remoteip

AnyConnect parent session started :AnyConnect parent session %{WORD:status}.

From the above, we notice that the GROK pattern ends with dot. Here "%{WORD:status}." indicates the string followed by period(.) added after AnyConnect parent session. From the raw message/log line, we see that we do not have a GROK pattern that matches the log line. We need to add a  GROK pattern as below for log to be matched with GROK pattern:

 

  {

        "pattern": "%{IPORHOST:source} %{TIMESTAMP_ISO8601:sourcetime} %{GREEDYDATA} Group \\<%{GREEDYDATA:group}\\> User \\<%{GREEDYDATA:user}\\> IP \\<%{IP:remoteip}\\> AnyConnect parent session %{WORD:status}"

    }

 

Note in the above, we do not have period followed by %{WORD:status}

The above GROK pattern will help in parsing the last part of string "AnyConnect parent session started" which does not end with period(.). Added the above GROK pattern and tested the log line/raw message, we see that it matched the GROK pattern:

Version history
Revision #:
2 of 2
Last update:
‎08-04-2020 10:30 PM
Updated by:
 
Labels (1)
Contributors