I need some GROK Assistance

poisedforflight · October 13, 2021, 3:53pm

I need some assistance figuring out how to use GROK to separate a Message into it’s pieces.

How do I break this log down? I am newb to GROK and am not even sure where to start.

Remote Desktop Services: Session logon succeeded:

User: Domain\Administrator
Session ID: 289
Source Network Address: 10.0.0.1

gsmith · October 14, 2021, 1:22am

Hello,

I would first go to the message you need to create the extractors. at the end of the message there should be am arrow pointing down, I’ve highlight this in a red box below.

Then pick Grok Patterns.

This way you working with the message need for your Grok patterns.

Start off by using Graylogs default patterns and if they don’t work there is also this site to help create your patterns.

https://grokconstructor.appspot.com/do/match#result

Hope that helps

system · October 28, 2021, 1:23am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Issues with attempting to pull Fields from Message Graylog Central (peer support)	3	630	May 25, 2018
Grok Pattern line description Graylog Central (peer support)	4	1152	February 12, 2020
Split message and create dahsboard Graylog Central (peer support)	4	894	August 14, 2018
How to apply my custom extractors for incoming messages? Graylog Central (peer support) sidecar , filebeat-windows	5	824	November 26, 2018
Parsing Logs On Graylog Graylog Central (peer support)	8	8293	November 17, 2017

I need some GROK Assistance

Related topics