Mateus Soares
Reputation: 1
Grok configuration pattern
I'm trying to parse the Zeek IDS log using telegraf and influxdb. In the logs that zeek uses, they are separated by tabs, but when telegraf reads these logs, it adds \t. I am not able to create a pattern to perform the separation of fields
Log Zeek:
1669666446.619248 CLod7M1SB6EGHAp50a fe80::a00:27ff:fe8d:4f7d 143 ff02::16 0 icmp - - - - OTH F F 0 - 1 96 00 -
Telegraf Debug:
2022-11-29T14:36:52Z D! [parsers.grok::tail] Grok no match found for: "1669666446.619248\tCLod7M1SB6EGHAp50a\tfe80::a00:27ff:fe8d:4f7d\t143\tff02::16\t0\ticmp\t-\t-\t-\t-\tOTH\tF\tF\t0\t-\t1\t96\t0\t0\t-"
Grok Debugger:
%{SYSLOGHOST:ts}\t%{WORD:uuid}
No Matches
I've already made several attempts at patterns but without success. my knowledge is basic
Upvotes: 0
Views: 157
Answers (0)
Related Questions
- A complicated logstash pattern in Grok
- Creating a custom GROK pattern
- grok pattern for log event
- what will be the Grok pattern for this custom log pattern?
- How to write custom grok for logstash
- Grok pattern grammar syntax
- Grok Pattern not working in Logstash
- Custom Grok Pattern for logs
- Logstash grok pattern issue
- Logstash Grok Pattern