Reputation: 4254
Understanding grok-pattern to configure LogStash for Advanced IIS log
I switched from normal IIS log to Advanced IIS log and have some trouble parsing a log entry correctly to my Elastic Search / Kibana Setup.
The problematic entry is the cs_cookie entry.
The entry for that value can be like this:
".ASPXANONYMOUS=lCoa4IyW0AEkAAAAMWQzM2Y3YTktZTE4MC00N2Q0LWFjNzEtMmQ3NzFlODk2ZDA50; DNNPersonalization=<profile><item key=""Usability:UserMode9"" type=""System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b766a5c561934e089""><string>VIEW</string></item></profile>"
So it contains multiple spaces and quotes. I used the grok debugger but couldn't find a solution, please advise me.
Upvotes: 0
Views: 1251
Answers (1)
Reputation: 16362
To build up a pattern, start from the left side and examine each piece as you move to the right.
Start with %{GREEDYDATA:remainder}, which will match everything into a field called "remainder".
Your sample string starts with a quote, so add that:
"%{GREEDYDATA:remainder}
Now remainder won't have the initial quote any more.
The next piece looks like a key/value pair that ends with a semi-colon, so add that:
"%{NOTSPACE:key1}=%{NOTSPACE:value1}; %{GREEDYDATA:remainder}
Looking at what's left in "remainder" shows, at a high level, another key/value pair. You could split that out, or add more detailed parsing to get the pieces from inside the second value.
Since your sample is really two key/value pairs, so you might do the initial split with the kv{} filter and then grok{} those pieces as needed.
Upvotes: 1
Related Questions
- Nginx grok pattern for logstash
- grok pattern to parse the logs in logstash
- What will be Grok pattern for following IIS server logs?
- how to collect IIS log through logstash and display it on Kibana?
- Grok pattern for log files
- A complicated logstash pattern in Grok
- grok pattern for log event
- Custom Grok Pattern for logs
- Grok pattern for logstash / elasticsearch
- Logstash Grok Pattern