GROK pattern for tcpspy logs

Question

I am trying to write a GROK pattern for the following types of tcpspy logs.

-Apr 21 12:08:19 ubuntu tcpspy[1243]: disconnect: user anu, local 192.168.244.128:53761, remote 216.58.210.46:https

-Apr 21 12:08:19 ubuntu tcpspy[3400]: disconnect: proc /usr/lib/firefox/firefox, user anu, local 192.168.244.128:53761, remote 216.58.210.46:https

-Apr 21 10:36:21 ubuntu tcpspy[3417]: disconnect: proc (unknown), user anu, local 192.168.244.128:40593, remote 198.105.254.11:http

This is the pattern I have written:

match => {"message" => "%{SYSLOGTIMESTAMP:timestamp} (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource} %{SYSLOGPROG:sys}: %{WORD:wr}: %{WORD} (?:%{URIPATHPARAM:path}|[?(]%{WORD:path}[?)]), (%{WORD:word}|%{WORD:word} %{WORD:word}, %{WORD:word}) (%{IPORHOST:ip}:%{POSINT:nu}), %{WORD} (%{IPORHOST:ipp}:%{WORD:n})"}

But for some reason I am able to parse the first two types with the same pattern, but I am not able to parse the third one.

Eddy Eddy · Accepted Answer · 2015-05-13T07:19:39

I have tested third line here https://grokdebug.herokuapp.com/ and everything works fine with your pattern.

GROK pattern for tcpspy logs

1 Answers