Running key=value tokenizer extractor from Pipelines?

nisow95612 · August 26, 2021, 7:49am

Hello Graylog community,
I have a simple question today: Can pipelines do what “key=value” tokenizer extractor does?

I know the pipelines have the key_value() function, but while it is more configurable than its key=value tokenizer extractor counterpart, there seems to be no way to handle spaces in quoted fields properly

What am I missing? (Sorry for such broad question) ?

As an exercise I’ve switched a test copy of my input from key=value tokenizer extractor to key_value() pipeline function, details can be found at RAW Input with “Length-prefixed framing” - #6 by nisow95612

These are the results of that exercise (identifying information masked):

1st line is result of that exercise - dstcountry=“Czech Republic” was not parsed correctly,
2nd line is what Syslog TCP does by default - worked OK, because there was no embedded “=”,
3rd line is parsed by key=value tokenizer extractor - worked perfectly. Unfortunately this works only on logs forwarded by FMGR, as explained at RAW Input with “Length-prefixed framing”.

image1000×434 63.5 KB

I believe the Graylog servers are fully up to date, so 4.1.

gsmith · August 27, 2021, 12:04am

Hello,
Out of curiosity, how did you setup your Message Processors Configuration?

nisow95612 · August 27, 2021, 7:35am

Funny, it’s the same as yours except GeoIP Resolver is disabled.

This means I can’t do this “bogus field killing” in pipeline and then let extractors do k=v tokenizing, right?

gsmith · August 27, 2021, 9:11pm

Not sure, I’m still looking into it.

shoothub · September 6, 2021, 9:42am

Hi @nisow95612

This is know issue with key_value function. You can override it with some little regex. I use this pipeline and works great for me also for Fortigate multi word values with quotes.

rule "Forti-regex-KV"
when
  has_field("message") and contains(to_string($message.message), "devname")
then
  let regex = regex("(date=.*)",to_string($message.message));

  // Replace values with quotes to format "key":"value"
  let replace1 = regex_replace("([a-z0-9\\_\\-]+)=(?:\")([^\"]+)(?:\")", to_string(regex["0"]), "\"$1\":\"$2\",");

  // Replace values without quotes to format "key":"value"
  let replace2 = regex_replace("([a-z0-9\\_\\-]+)=([0-9.\\-:]+|N/A)(?: |$)", replace1, "\"$1\":\"$2\",");

  // Replace start end with {} to json format syntax
  //let replace3 = regex_replace("(.*),", replace2, "{$1}");

  set_fields(
    fields:
    key_value(
    value: to_string(replace2),
    trim_value_chars: "\"",
    trim_key_chars:"\"",
    delimiters:",",
    kv_delimiters:":"
    )
  );
end

nisow95612 · September 6, 2021, 3:00pm

Hi @shoothub,
thanks for the tip. That may be viable a workaround, even if imperfect. I assume you don’t use IPv6 yet? I also think hackers can put as many colons and commas into VPN hostnames/usernames as they want.

Is the first regex replacement correct? I think \"$2\" would refer to (?:\").
Oh wait… there is “(?”. Does that somehow prevent () from being a capture group?

Wouldn’t it be easier to start with Fortigate’s set format csv? It looks like this:
type="event",subtype="vpn",level="notice",vd="Proxxxxxxxxxxx",logdesc="IPsec connection status changed",msg="IPsec connection status change",action="tunnel-up"

shoothub · September 7, 2021, 7:11am

Hi @nisow95612
you are correct, (?: is non-capturing group

Maybe an interesting option, i haven’t tried yet. Please provide your experiences if yout try it.

nisow95612 · September 9, 2021, 11:49am

Hi @shoothub,

How does your parser handle field “msg” in “perf-stats” messages?

I don’t see any special handling of embedded commas or colons in your regexes and msg has both.

Message example (CSV, but please imagine spaces instead of commas):
date=2021-09-09,time=13:17:xx,devname="Pexxxxxxx_Master",devid="FGxxxxxxxxxxxxxxx",eventtime=16311862xxxxxxxxxxx,tz="+0200",logid="0100040704",type="event",subtype="system",level="notice",vd="Proxxxxxxxx",logdesc="System performance statistics",action="perf-stats",cpu=12,mem=12,totalsession=123,disk=123,bandwidth="123/123",setuprate=123,disklograte=123,fazlograte=123,freediskstorage=123,sysuptime=123,waninfo="xxxxx",msg="Performance statistics: average CPU: 12, memory: 12, concurrent sessions: 123, setup-rate: 123"

From that msg should parse as
Performance statistics: average CPU: 12, memory: 12, concurrent sessions: 123, setup-rate: 123

I have tried to parse the CSV format with let k_v = key_value(value:msgtext, delimiters:",", kv_delimiters:"=", trim_value_chars:"\"");.

As always, it mostly works, but msg gets parsed as Performance statistics: average CPU: 7

shoothub · September 9, 2021, 1:44pm

If you use CSV format, try to use this little fix. It will replace , delimeter with | which not collide in performace statistics, then use | as delimeter in key_value function.

  // replace delimeter , with |
  let replace1 = regex_replace(",(\\w+=)", to_string($message.msgtext), "|$1");
  set_fields(
  // use | delimeter in key_value
  fields:
  key_value(
    value: replace1,
    trim_value_chars: "\"",
    delimiters:"|",
    kv_delimiters:"="
  )
);

system · September 23, 2021, 1:45pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Pipeline whitespace issues Graylog Central (peer support) pipeline-rules , route-to-streampl	2	762	November 5, 2020
Graylog pipeline keys with spaces Graylog Central (peer support) pipeline-rules , debuggingpl	6	1487	September 3, 2021
Pipelines: Key_value function in conjuntion with whitespaces causes faulty values Graylog Central (peer support)	1	406	February 8, 2021
K=V extractor help Graylog Central (peer support) pipeline-rules	5	649	September 1, 2021
Key:value extractor Graylog Central (peer support) pipeline-rules	3	1209	November 5, 2020

Running key=value tokenizer extractor from Pipelines?

Related Topics