I am trying to extract only the last part of a Linux log using Grok Patterns in Graylog, but it's harder than I tought.
Here's the message that I receive:
Mar 18 11:10:01 graylog CRON[14637]: pam_unix(cron:session): session closed for user root
I only want to keep date, time and the "session closed for user root" part.
This is what I tried, without results:
%{GREEDYDATA} pam_unix(cron:session):
%{GREEDYDATA} session closed for user root
%{MONTH} %{BASE10NUM} %{TIME} %{GREEDYDATA}graylog CRON[18698]: pam_unix(cron:session):
Maybe I am still using "greedydata" wrong(?), any help would be greatly appreciated!
You can use
%{MONTH:month} %{BASE10NUM:day} %{TIME:time} %{DATA}: pam_unix\(cron:session\):\s*%{GREEDYDATA:message}
Details:
%{MONTH:month} - month name%{BASE10NUM:day} - one or more digits%{TIME:time} - time pattern%{DATA} - .*? lazy-dot regex pattern, matches any zero or more chars other than line break chars, as few as possible (note that you may change it to %{DATA:cron} to get graylog CRON[14637] in the output): pam_unix\(cron:session\): - a literal : pam_unix(cron:session): text\s* - zero or more whitespaces%{GREEDYDATA:message} - .* regex pattern matching the rest of the line.