Grok Pattern doesn't execute

Rnm · December 29, 2017, 11:17am

Hi everyone,

I have an issue with Grok pattern on Graylog.

Here is an log message I want to extract :

9999-01-07T23:12:43+02:00 9999 00.00.00.00 stm[9999]: <999999> <00.00.00.00 FF:FF:FF:FF:FF:FF> Dropping the radius packet for Station FF:FF:FF:FF:FF:FF FF:FF:FF:FF:FF:FF doing 802.1x

I use Grok Debugger website to create my Grok pattern. Here is my grok input :

%{TIMESTAMP_ISO8601:Date} %{BASE10NUM} %{IPV4:Host_ipaddress} %{DATA:error_location}: <%{DATA:error_id}> <%{DATA:log_level}> <%{DATA} %{COMMONMAC:Host_macaddress}> [%{SPACE}]%{GREEDYDATA:message}

It’s not the most optimized code but it’s worked on website. If I put this Grok pattern on Graylog, he give me this message :

“Attention
We were not able to run the grok extraction. Please check your parameters.”

If I dsable the “Named captures only” option it’s worked but there are some information I don’t want. And my Grok pattern are created with this parameter

Do you know where is the issue ?

Thank in advance and happy holidays !

jochen · January 3, 2018, 8:17am

What’s in the logs of your Graylog node(s) when trying to use that Grok pattern?

Have all Grok patterns used in your extractor been added to Graylog? Check in System / Grok patterns.

Rnm · January 3, 2018, 2:14pm

Hi Jochen and Happy New Year !

I checked the server.log and I have no error on the log file

All pattern use in the extractor exist in Graylog so the issue is not there.

Thank you for your help.

jochen · January 3, 2018, 3:21pm

Please provide to full configuration of the Grok extractor, a dump of the MongoDB collection “grok_patterns”, and a few example messages so that we can try to reproduce your problem.

Rnm · January 3, 2018, 4:37pm

Here is a download link for all the elements you asked for :

http://fromsmash.com/362f571c-f0a4-11e7-830d-0a39043893bc

Thank you.

zionio · January 5, 2018, 3:13pm

Hi,
based on your log message:

in your grok pattern i see <%{DATA:log_level}> but there’s no string match in your log message.
remember to always quote special chars like “<” or “>”
instead of [%{SPACE}] (and i didn’t see any “[” or “]” matching in message) use always (?:%{SPACE}) if you don’t know if whitespace is present or no.

I tried this on my GL2.4:

%{TIMESTAMP_ISO8601:Date} %{BASE10NUM} %{IPV4:Host_ipaddress} %{DATA:error_location}: \<%{DATA:error_id}\> \<%{DATA} %{COMMONMAC:Host_macaddress}\>(?:%{SPACE})%{GREEDYDATA:message}

and

Hope this helps
and my apologies for my english

Rnm · January 8, 2018, 9:47am

Hi zionio !

I have tested and it’s worked. Thanks for yours advices

For the DATA:error_log, it’s present on the real log. When I modified the line, I may delete it. I add it and it appear normaly.

Thank you really much and happy new year.

system · January 22, 2018, 9:48am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Reasons to graylog extractor stop working Graylog Central (peer support)	11	2696	April 25, 2017
Log Extractor Help Graylog Central (peer support) grok-patternspl	2	430	April 24, 2023
Nested Grok issues in a syslog extractor Graylog Central (peer support)	1	516	August 30, 2019
Graylog extractor Graylog Central (peer support)	8	624	November 13, 2018
Grok pattern for dd-wrt syslog input Graylog Central (peer support)	4	1260	October 16, 2017

Grok Pattern doesn't execute

Related Topics