I am working on getting Call Manager logs into logstash and i need some help with the grok parser for the logs. Can anyone help me come up with a grok pattern for the following log entry:
<190>136768: Dec 23 2019 10:48:59.476 UTC : %UC_AUDITLOG-6-AdministrativeEvent: %[UserID=administrator][ClientAddress=192.168.1.5][Severity=6][EventType=UserAccess][ResourceAccessed=CUCMServiceability][EventStatus=Success][CompulsoryEvent=No][AuditCategory=AdministrativeEvent][ComponentID=Cisco CCM Servicability][CorrelationID=][AuditDetails=Attempt to access data was successful.User is authorized to access alarmconfig][AppID=Cisco Tomcat][ClusterID=][NodeID=cm01.home.local]: Audit Event is generated by this application
I am trying to use the Grok Debugger, but i am not getting very far https://grokdebug.herokuapp.com/
So far i have this:
<%{NUMBER:message_type_id}>%{NUMBER:internal_id}:%{SPACE}%{CISCOTIMESTAMP:cisco_timestamp}%{SPACE}%{DATA:gmt}:%{SPACE}%{PROG}:
Try this:
INPUT:
<190>136768: Dec 23 2019 10:48:59.476 UTC : %UC_AUDITLOG-6-AdministrativeEvent: %[UserID=administrator][ClientAddress=192.168.1.5][Severity=6][EventType=UserAccess][ResourceAccessed=CUCMServiceability][EventStatus=Success][CompulsoryEvent=No][AuditCategory=AdministrativeEvent][ComponentID=Cisco CCM Servicability][CorrelationID=][AuditDetails=Attempt to access data was successful.User is authorized to access alarmconfig][AppID=Cisco Tomcat][ClusterID=][NodeID=cm01.home.local]: Audit Event is generated by this application
GROK PATTERN:
<%{NUMBER:message_type_id}>%{NUMBER:internal_id}:%{SPACE}%{CISCOTIMESTAMP:cisco_timestamp}%{SPACE}%{DATA:gmt}%{SPACE}:%{SPACE}%{PROG}:%{SPACE}\%\[UserID=%{GREEDYDATA:UserID}\]\[ClientAddress=%{IP:ClientAddress}\]\[Severity=%{NUMBER:Severity}\]\[EventType=%{GREEDYDATA:EventType}\]\[ResourceAccessed=%{GREEDYDATA:ResourceAccessed}\]\[EventStatus=%{GREEDYDATA:EventStatus}\]\[CompulsoryEvent=%{GREEDYDATA:CompulsoryEvent}\]\[AuditCategory=%{GREEDYDATA:AuditCategory}\]\[ComponentID=%{GREEDYDATA:ComponentID}\]\[CorrelationID=%{GREEDYDATA:CorrelationID}\]\[AuditDetails=%{GREEDYDATA:AuditDetails}\]\[AppID=%{GREEDYDATA:AppID}\]\[ClusterID=%{GREEDYDATA:ClusterID}\]\[NodeID=%{GREEDYDATA:NodeID}\]:%{SPACE}%{GREEDYDATA:description}
OUTPUT:
{
"message_type_id": [
[
"190"
]
],
"BASE10NUM": [
[
"190",
"136768",
"6"
]
],
"internal_id": [
[
"136768"
]
],
"SPACE": [
[
" ",
" ",
" ",
" ",
" ",
" "
]
],
"cisco_timestamp": [
[
"Dec 23 2019 10:48:59.476"
]
],
"MONTH": [
[
"Dec"
]
],
"MONTHDAY": [
[
"23"
]
],
"YEAR": [
[
"2019"
]
],
"TIME": [
[
"10:48:59.476"
]
],
"HOUR": [
[
"10"
]
],
"MINUTE": [
[
"48"
]
],
"SECOND": [
[
"59.476"
]
],
"gmt": [
[
"UTC"
]
],
"PROG": [
[
"%UC_AUDITLOG-6-AdministrativeEvent"
]
],
"UserID": [
[
"administrator"
]
],
"ClientAddress": [
[
"192.168.1.5"
]
],
"IPV6": [
[
null
]
],
"IPV4": [
[
"192.168.1.5"
]
],
"Severity": [
[
"6"
]
],
"EventType": [
[
"UserAccess"
]
],
"ResourceAccessed": [
[
"CUCMServiceability"
]
],
"EventStatus": [
[
"Success"
]
],
"CompulsoryEvent": [
[
"No"
]
],
"AuditCategory": [
[
"AdministrativeEvent"
]
],
"ComponentID": [
[
"Cisco CCM Servicability"
]
],
"CorrelationID": [
[
""
]
],
"AuditDetails": [
[
"Attempt to access data was successful.User is authorized to access alarmconfig"
]
],
"AppID": [
[
"Cisco Tomcat"
]
],
"ClusterID": [
[
""
]
],
"NodeID": [
[
"cm01.home.local"
]
],
"description": [
[
"Audit Event is generated by this application "
]
]
}