0

I'm trying to parse the Zeek IDS log using telegraf and influxdb. In the logs that zeek uses, they are separated by tabs, but when telegraf reads these logs, it adds \t. I am not able to create a pattern to perform the separation of fields

Log Zeek:

1669666446.619248       CLod7M1SB6EGHAp50a      fe80::a00:27ff:fe8d:4f7d        143     ff02::16        0       icmp    -       -       -       -       OTH     F       F       0       -       1       96      00       -

Telegraf Debug:

2022-11-29T14:36:52Z D! [parsers.grok::tail] Grok no match found for: "1669666446.619248\tCLod7M1SB6EGHAp50a\tfe80::a00:27ff:fe8d:4f7d\t143\tff02::16\t0\ticmp\t-\t-\t-\t-\tOTH\tF\tF\t0\t-\t1\t96\t0\t0\t-"

Grok Debugger:

%{SYSLOGHOST:ts}\t%{WORD:uuid}

No Matches

I've already made several attempts at patterns but without success. my knowledge is basic

Mateus Soares
  • 1
  • If it helps you Mateus, you can switch Zeek's log generation over to JSON by saying `redef LogAscii::use_json = T;` in your local.zeek — or you can just add `LogAscii::use_json=T` to the end of the command line if you're invoking this on a pcap. – Christian Nov 30 '22 at 06:04
  • Another option, if you'd rather stay with the traditional log format: you can change the separator string in Zeek's logging framework by redefining the `Log::separator` string. – Christian Nov 30 '22 at 06:07

0 Answers0