Netgear Log - Grok Patern

Hello to all,

I’m a french new user of Graylog and I work with Netgear logs. Some fields of these logs are not good.

When we connect to a Netgear Switch, the log look like :

image1113×285 12.6 KB

So all the informations that we want to show in our dashboard is in the field “message”, from this, we want to extract the date, time, name of the switch (SW28 in this case) the username (admin) and the IP adress as a unique field.

For that, I have alredary tried to make Grok pattern from a lot of YouTube video ( 14. Graylog 3.0 Grok Patterns, Extractors and Pipelines || part 3 - YouTube but I cannot undertand how does it works.

Can you help us to make a pattern for this Netgear log ?

Thank you very much for yout help

Wish you a good day

Best Regards,

Alexandre

I moved your question to “Graylog Central” where questions are asked (…and hopefully solved!)

Are you having trouble figuring out GROK or are you having trouble trying to implement GROK in an extractor or in a pipeline?

Can you post the text of your sample message (Using the forum tool </> for nice formatting) as well as what you have come up with so far for a GROK pattern? Do you want to do it in the pipeline or in an extractor?

Thanks for your answer.

For the moment I try to extract the data from the log to match the desired field.
I managed to extract the IP address as desired :

But when I want to extract another information it triggers an error

Capture2638×547 29.9 KB

And this is the log :

Sep 20 09:38:12 SW28-1 General[emWeb]: main_login.c(781) 11465403 %% HTTP Session 11 initiated for user admin connected from 192.168.1.35

Thank you for your help.

You need to parse the data set and fields properly.
Just an example to play around with (very simple):

%{SYSLOGTIMESTAMP:Date} %{SYSLOGHOST:Source} %{WORD}\[%{WORD:Service}\]: %{GREEDYDATA:Event} %{IP:Client_IP}

NOTE: As shown in @H077E’s example you have to account for everything between %{time} and %{IPV4} even if you use %{GREEDYDATA:UNWANTED} Where UNWANTED means don’t capture that data into a field.

Solved, thanks a lot for your help !

If you have a moment, post your GROK for future searchers!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.