1. Describe your incident:
I am trying to write a pipeline rule that will extract value based on a grok pattern and set field.
Sample log:
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: asdf
Account Domain: -
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC000006A
I want to extract the Failure Reason into its own field, event_error_description.
2. Describe your environment:
-
OS Information: Rocky 9.5
-
Package Version: Graylog 6.1.5, MongoDB 6.0.19, OpenSearch 2.15
-
Service logs, configurations, and environment variables:
3. What steps have you already taken to try and solve the problem?
I have read forum postings, including this github issue page Multiline support for Grok extractor · Issue #2465 · Graylog2/graylog2-server · GitHub, which mentions (%s)
and (%m)
but both do not work, or I am not doing them right. I have tried editing the grok pattern on Grok Debugger.
This is a pattern I have tried:
(Failure Reason:\s\t%{GREEDYDATA:event_error_description})
4. How can the community help?
Hopefully someone can point out where I have written the GROK pattern wrongly. Or, will I have to use regex?
Thank you. Happy 2025!