Pipeline Rule Simulator not working with domain\username in the log, but external Grok debuggers function as expected

jmmats · September 10, 2024, 2:00pm

Hello all, i am trying to use a pipeline rule to extract some information from a log line, but the simulator is indicating the rule / grok is not working when a domain / username is present in the log. external grok debuggers all work as expected. a bit puzzling but i am probably missing something simple

the grok is
contains(to_string($message.source_os_type),“vmware”) //&& !contains(to_string($message.message),“com.vmware.vim.eam”)
then
let tmp = grok(
pattern: “vim.event.%{WORD:event_action}] \[%{WORD:event_severity}\]”,
value: to_string($message.message),
only_named_captures: true
);
set_fields(tmp);
//remove_field(“tmpsource”);
end

Does not work with simulator
message:Event [119797857] [1-1] [2024-08-23T14:29:22.695142Z] [vim.event.VmCreatedEvent] [info] [domain.domain.domain.com\user-name] [xxxxx Datacenter RKPT] [119797851] [Created virtual machine computer1 on vmwarehost, in XXXXXX Datacenter XXX]
source_os_type:vmware

removing the [domain.domain.domain.com\user-name] from the log entry works every time. i will extract the domain \ username in a later rule, but i just want to ignore everything after [info]

any thoughts or suggestions?

Wine_Merchant · September 11, 2024, 9:12am

Hey @jmmats,

Certain characters, such as ‘[’, require a double escape within Graylog. The below should hopefully work.

let tmp = grok(
pattern: “vim.event.%{WORD:event_action}] \[%{WORD:event_severity}\]”,
value: to_string($message.message),
only_named_captures: true
);

jmmats · September 11, 2024, 12:06pm

yes you are correct @Wine_Merchant , i do have that in my rule. i must have just copied the external grok debugger rule and pasted.

this is the rule text in place now
pattern: “vim.event.%{WORD:event_action}\] \[%{WORD:event_severity}\]”,

Very perplexing imo.

doesnt work
message:Event [119797857] [1-1] [2024-08-23T14:29:22.695142Z] [vim.event.VmCreatedEvent] [info] [do.main.local\Admin-user] [ Datacenter RKPT] [119797851] [Created virtual machine xxxxxx on hypervisor.y.y.z, in Datacenter RKPT]
source_os_type:vmware

removing - [do.main.local\Admin-user] from the log line

works
message:Event [119797857] [1-1] [2024-08-23T14:29:22.695142Z] [vim.event.VmCreatedEvent] [info] [ Datacenter RKPT] [119797851] [Created virtual machine xxxxxx on hypervisor.y.y.z, in Datacenter RKPT]
source_os_type:vmware

I have even tried adding a greedydata to the end with no success unfortuantely.

jmmats · September 11, 2024, 12:07pm

i should also mention that the post seems to be removing the double backslash from the pattern, as your post shows as well

jmmats · September 11, 2024, 1:24pm

for clarity here, it seems as if the backslash in the domain username text is causing the issue

[do.main.local\Admin-user]

Wine_Merchant · September 11, 2024, 2:57pm

It does appear to work within the rule simulator, which is not so robust.

Have you now got it working?

jmmats · September 11, 2024, 3:45pm

oy, yeah seems to be working now. though i was using the key value to mimic the field of source_os_type i have set. will have to do some additional troubleshooting but i think ill move forward with this.

thanks again for the guidance.

Topic		Replies	Views
3.1 pipeline help Graylog Central (peer support) pipeline-rules , sidecar , winlogbeat	2	784	September 6, 2019
Solved: Problem with pipeline rule and grok pattern Graylog Central (peer support) pipeline-rules	6	3016	August 25, 2019
Pipeline Rule not working - Source replace with grok Graylog Central (peer support) pipeline-rules	10	1367	July 22, 2021
Pipeline rule is not working Graylog Central (peer support) pipeline-rules	2	478	May 7, 2020
Pipeline Rule Works in Simulator, Not in Stream Graylog Central (peer support)	6	153	May 23, 2024

Pipeline Rule Simulator not working with domain\username in the log, but external Grok debuggers function as expected

Related topics