Public Pastes
daily pastebin goal
22%
SHARE
TWEET

using multiline filter with syslog messages from untangle

a guest Mar 31st, 2015 218 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. When I remove the remarks below the filter stops working, but I get no errors. All that happens is no untangle-syslog messages go in to elasticsearch when the remarks are removed. Type is assigned to the message by the input.
  2.  
  3. filter {
  4.   if [type] == "untangle-syslog" {
  5.     #multiline {
  6.     #  pattern => "...$"
  7.     #  what => "next"
  8.     #  add_tag => "multiline-joined"
  9.     #}
  10.     grok {
  11.       match => { "message" => "<%{POSINT:priority}>%{SYSLOGTIMESTAMP:syslogtimestamp} localhost node-17: \[SyslogManagerImpl\] <(?:%{WORD:Protocol}|)> %{WORD:Severity}\s*uvm\[0\]:\s*%{GREEDYDATA:jsonmessage}" }
  12.       add_tag => "untangle-syslog"
  13.       tag_on_failure => "untangle_syslog_grok_failure"
  14.     }
  15.     mutate {
  16.       gsub => [ "jsonmessage", '"host"', '"websiteHost"' ]
  17.     }
  18.     json {
  19.       source => "jsonmessage"
  20.     }
  21.     date {
  22.       match => [ "timeStamp", "yyyy-MM-dd HH:mm:ss.SSS" ]
  23.     }
  24.   }
  25. }
  26.  
  27. An example of 2 log entries which I want the multiline filter to apply to:
  28.  
  29. <142>Mar 31 10:15:00 localhost node-17: [SyslogManagerImpl] <TCP93307337274539> INFO uvm[0]: {"requestUri":"/crx/blobs/QwAAAHF3InbmK-wFIemaY3I3BCOq0yK5095sXVI3hELfKl-_t_oI3qZ_s_cgM8T77YiCUmJqoW79hErIdhQBhFoE1annCDXfsK73DMJ46UirxKPLAMZSmuUtnpgw8IDYTbdzXN6jEe4tXaxNzQ/extension_1_4_7_771.crx?cms_redirect=yes&expire=1427807700&ip=109.234.205.197&ipbits=0&mm=31&ms=au&mt=1427793009&mv=u&nh=IgpwcjAzLmxocjE0KgkxMjcuMC4wLjE&pl=25&sparams=expire,ip,ipbits,mm,ms,mv,nh,pl&signature=03456BD3052E1640E3CF67FAEF3A335D03FEE03A.6C2625304A8774DFD168EF68C09973E681566FF1&key=cms1","host":"r3---sn-aigllnlk.c.pack.google.com","timeStamp":"2015-03-31 10:15:00.994",...
  30.  
  31. <142>Mar 31 10:15:00 localhost ..."sessionId": 93307337274539,"requestId":93307337040336,"tag":"uvm[0]: ","class":"class com.untangle.node.http.HttpRequestEvent","method":"GET","sessionEvent":{"protocol":6,"timeStamp":"2015-03-31 10:15:00.982","SClientAddr":"/192.168.1.11","tag":"uvm[0]: ","CServerAddr":"/173.194.3.72","protocolName":"TCP","CClientAddr":"/10.0.9.30","class":"class com.untangle.uvm.node.SessionEvent","hostname":"SQ-G-F4","SClientPort":14237,"serverIntf":1,"CServerPort":80,"username":"dpassey","clientIntf":2,"sessionId":93307337274539,"policyId":18,"SServerPort":80,"SServerAddr":"/173.194.3.72","CClientPort":2133},"contentLength":0}
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top