Grok Patterns for SSSD Logs

Question

I am trying to parse the SSSD Demon logs using Logstash grok patterns for better visibility

log samples

(Mon Nov  9 12:08:56 2020) [sssd[nss]] [client_recv] (0x0200): Client disconnected!
(Mon Nov  9 12:08:56 2020) [sssd[nss]] [client_close_fn] (0x2000): Terminated client [0x55ffd29d93c0][22]

I have created custom Grok patterns as stated below:

SSSD_TIME [ \(%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR}\)]+
SSSD_DEMON \[[a-z]*\[[a-z]*\]\]+
SSSD_FUNCTION \[[a-z,_]*\]+
SSD_LOG_LEVEL (\(\dx\d*\))+

I am getting the below output using the above custom grok patterns for the query stated below

%{SSSD_TIME:time} %{SSSD_DEMON:demon} %{SSSD_FUNCTION:function} %{SSD_LOG_LEVEL:loglevel}[:]\s+%{GREEDYDATA:message}

Output:

{
  "function": "[client_recv]",
  "loglevel": "(0x0200)",
  "time": "(Mon Nov  9 12:08:56 2020)",
  "demon": "[sssd[nss]]",
  "message": "Client disconnected!"
}

I need to extract only the values with in the brackets and not the whole content

I tried skipping the brackets but it only work for first value

query below for skipping first bracket

\(%{SSSD_TIME:time}\) %{SSSD_DEMON:demon} %{SSSD_FUNCTION:function} %{SSD_LOG_LEVEL:loglevel}[:]\s+%{GREEDYDATA:message}

I need to get the below output

{
  "function": "client_recv",
  "loglevel": "0x0200",
  "time": "Mon Nov  9 12:08:56 2020",
  "demon": "sssd[nss]",
  "message": "Client disconnected!"
}

If anyone can help me with this that will be great

Thanks

Answer 1

Here is the grok pattern for your desired output:

\((?<timestamp>%{DAY} %{MONTH} %{MONTHNUM} %{TIME} %{YEAR})\) \[(?<daemon>(.*))\] \[%{DATA:function}\] \(%{DATA:log_level}\): %{GREEDYDATA:message}

I have used the Grok Debugger to create the from pattern.

Here is the screenshot of the output:

If you want, you can then remove the unnecessary tags like DAY, MONTH etc., using mutate filter of logstash.