Spent the past hour trying to setup a grok filter for logstash. Working with the Grok Debugger everything's good until I get to the timestamp. Grok chokes on the four digit year.
Here is a logfile entry as its sent to logstash:
Jul 8 11:54:29 192.168.1.144 1 2016-07-08T15:55:09.629Z era.somedomain.local ETAServer 1755 Syslog {"event_type":"Threat_Event","ipv4":"192.168.1.118","source_uuid":"7ecab29a-7db3-4c79-96f5-3946de54cbbf","occured":"08-Jul-2016 15:54:54","severity":"Warning","threat_type":"trojan","threat_name":"HTML/Agent.V","scanner_id":"HTTP filter","scan_id":"virlog.dat","engine_version":"13773 (20160708)","object_type":"file","object_uri":"http://malware.wicar.org/data/java_jre17_exec.html","action_taken":"connection terminated","threat_handled":true,"need_restart":false,"username":"DOMAIN\username","processname":"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"}
What I'm having trouble with is the first part before the JSON data. The first part of my grok statement:
%{MONTH}\ %{MONTHDAY}%{SPACE}%{TIME}%{SPACE}%{IPV4}%{SPACE}%{NUMBER}%{SPACE}
works fine correctly identifying everything up to the number '1' just before the year in the timestamp. The problem is when I add the following:
%{MONTH}\ %{MONTHDAY}%{SPACE}%{TIME}%{SPACE}%{IPV4}%{SPACE}%{NUMBER}%{SPACE}%{TIMESTAMP_ISO8601}
then I get "No Matches" in the grok debugger. Messing around with it a bit more it appears that problem is somewhere between the number '1' and the first two digits of the year in the timestamp since %{TIMESTAMP_ISO8601} only uses a two digit year.
Any suggestions or help would be greatly appreciated.
