Hello i have the follow example lines to match with grok but it only generate this _grokparsefailure error:
OSSEC - RULEID: "1484654377"; RULEID: "5402"; RULELEVEL: "3"; RULEGROUP: "syslog,sudo"; RULECOMMENT: "Successful sudo to ROOT executed"; DSTUSER: "root"; SRCIP: "None"; HOSTNAME: "elk-stack-2"; LOCATION: "/var/log/auth.log"; EVENT: "[INIT]Jan 17 09:59:36 elk-stack-2 sudo: root : TTY=pts/1 ; PWD=/root ; USER=root ; COMMAND=/bin/su[END]";
My grok conf is:
filter {
grok {
match => { "message" => "OSSEC - RULEID: \"%{NUMBER:timestamp}\"; RULEID: \"${NUMBER:ruleid}\"; RULELEVEL: \"${NUMBER:rulelevel}\"; RULEGROUP: \"${GREEDYDATA:rulegroup}\"; RULECOMMENT: \"${DATA:rulecomment}\"; DSTUSER: \"${NOTSPACE:dstuser}\"; SRCIP: \"${NOTSPACE:srcip}\"; HOSTNAME: \"${NOTSPACE:hostname}\"; LOCATION: \"${NOTSPACE:location}\"; EVENT: \"[INIT]${DATA:event}[END]\";"
}
}
}
Where am I going wrong?
You confused the syntax: you used $ instead of % in many cases above (with %{...}). Also, the [ outside the character class must be escaped to match a literal [ symbols. I also suggest to use DATA instead of GREEDYDATA with the rulegroup field.
Use
OSSEC - RULEID: \"%{NUMBER:timestamp}\"; RULEID: \"%{NUMBER:ruleid}\"; RULELEVEL: \"%{NUMBER:rulelevel}\"; RULEGROUP: \"%{DATA:rulegroup}\"; RULECOMMENT: \"%{DATA:rulecomment}\"; DSTUSER: \"%{NOTSPACE:dstuser}\"; SRCIP: \"%{NOTSPACE:srcip}\"; HOSTNAME: \"%{NOTSPACE:hostname}\"; LOCATION: \"%{NOTSPACE:location}\"; EVENT: \"\[INIT\]%{DATA:event}\[END\]\";
Also, you may replace all spaces with \s+ to streamline matching if the whitespace may differ.