Paul Chauvet
2014-10-31 16:05:49 UTC
Hi all,
I'm kinda stuck on trying to do something with logstash. I'm trying to use
it to consume and parse files from the Zimbra mail server right now -
starting with the audit.log file. That file unfortunately has several
types of information (IMAP, Web Client, Caldav, ActiveSync, etc.). To
handle this, I setup multiple patterns I get a grokparsefailure on all of
these (though they were tested in the GrokDebugger).
My config on the logstash server is as follows:
filter {
if [type] == "zimbra_audit" {
grok {
break_on_match => false
patterns_dir => [ "/etc/logstash/patterns.d" ]
match => [
"message", "%{ZIMBRA_AUDIT_IMAPPOP}",
"message", "%{ZIMBRA_AUDIT_WEB}",
"message", "%{ZIMBRA_AUDIT_WEBFAIL}",
"message", "%{ZIMBRA_AUDIT_ACTIVESYNC}",
"message", "%{ZIMBRA_AUDIT_CALDAV}"
]
}
}
}
I'm not sure that what I'm doing (listing multiple patterns, each as a
separate message) is done correctly or even possible. Any advice you can
provide on this would be appreciated!
P.S. I've included some of those below from a file in my patterns
directory (I'll neaten these up eventually). The first is a preface that
is the same on each line, the next two are patterns that differ in the log.
ZIMBRA_AUDIT_PREFACE %{TIMESTAMP_ISO8601:Timestamp} %{LOGLEVEL:LogLevel}
+%{SYSLOG5424SD:Connection}
ZIMBRA_AUDIT_IMAPPOP %{ZIMBRA_AUDIT_PREFACE}
\[ip=%{IPV4:Proxy_IP};oip=%{IPV4:Client_IP};\] security - cmd=Auth;
account=%{GREEDYDATA:Account}; protocol=%{WORD:Protocol};
ZIMBRA_AUDIT_WEB %{ZIMBRA_AUDIT_PREFACE}
\[name=%{USERNAME:user}@%{JAVACLASS:Domain};oip=%{IPV4:Client_IP};ua=zclient/7.2.7_GA_2942;\]
security - cmd=Auth; account=%{GREEDYDATA:Account};
protocol=%{WORD:Protocol};
Thanks,
Paul Chauvet
I'm kinda stuck on trying to do something with logstash. I'm trying to use
it to consume and parse files from the Zimbra mail server right now -
starting with the audit.log file. That file unfortunately has several
types of information (IMAP, Web Client, Caldav, ActiveSync, etc.). To
handle this, I setup multiple patterns I get a grokparsefailure on all of
these (though they were tested in the GrokDebugger).
My config on the logstash server is as follows:
filter {
if [type] == "zimbra_audit" {
grok {
break_on_match => false
patterns_dir => [ "/etc/logstash/patterns.d" ]
match => [
"message", "%{ZIMBRA_AUDIT_IMAPPOP}",
"message", "%{ZIMBRA_AUDIT_WEB}",
"message", "%{ZIMBRA_AUDIT_WEBFAIL}",
"message", "%{ZIMBRA_AUDIT_ACTIVESYNC}",
"message", "%{ZIMBRA_AUDIT_CALDAV}"
]
}
}
}
I'm not sure that what I'm doing (listing multiple patterns, each as a
separate message) is done correctly or even possible. Any advice you can
provide on this would be appreciated!
P.S. I've included some of those below from a file in my patterns
directory (I'll neaten these up eventually). The first is a preface that
is the same on each line, the next two are patterns that differ in the log.
ZIMBRA_AUDIT_PREFACE %{TIMESTAMP_ISO8601:Timestamp} %{LOGLEVEL:LogLevel}
+%{SYSLOG5424SD:Connection}
ZIMBRA_AUDIT_IMAPPOP %{ZIMBRA_AUDIT_PREFACE}
\[ip=%{IPV4:Proxy_IP};oip=%{IPV4:Client_IP};\] security - cmd=Auth;
account=%{GREEDYDATA:Account}; protocol=%{WORD:Protocol};
ZIMBRA_AUDIT_WEB %{ZIMBRA_AUDIT_PREFACE}
\[name=%{USERNAME:user}@%{JAVACLASS:Domain};oip=%{IPV4:Client_IP};ua=zclient/7.2.7_GA_2942;\]
security - cmd=Auth; account=%{GREEDYDATA:Account};
protocol=%{WORD:Protocol};
Thanks,
Paul Chauvet
--
Remember: if a new user has a bad time, it's a bug in logstash.
---
You received this message because you are subscribed to the Google Groups "logstash-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to logstash-users+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Remember: if a new user has a bad time, it's a bug in logstash.
---
You received this message because you are subscribed to the Google Groups "logstash-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to logstash-users+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.