I am having some trouble parsing the following log:
<14>Jul 26 13:37:17 NL-Syn1-RI Connection: User [SYNNAS\WIN7$] from [192.168.10.111(192.168.10.111)] via [CIFS(SMB2)] accessed shared folder [sysvol].
This is what I have at the moment for my GROK pattern:
<%{POSINT:syslog_pri}>(?(?:Jan(?:uary)?|Feb(?:ruary)?|Mar(?:ch)?|Apr(?:il)?|May|Jun(?:e)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|Oct(?:ober)?|Nov(?:ember)?|Dec(?:ember)?)\s+(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9]) (?:2[0123]|[01]?[0-9]):(?:[0-5][0-9]):(?:[0-5][0-9])) ?%{SYSLOGHOST:log_source} %{WORD:service}: User [(?:%{WORD:user_domain})\?%{DATA:username}] from [%{IP:source_ip}|%({IP:source_ip})] via [%{DATA:protocol}] accessed shared folder [%{DATA:shared_folder}].
I am able to parse out everything up until "via [CIFS(SMB2)] accessed shared folder [sysvol]." The two fields "protocol" and "shared folder" display "null" on the GROK debugger. However, when splitting the log, beginning at "via", the two halves parse out perfectly fine with the current grok pattern. I tried many different ideas, but I haven't been able to find a solution.
Use this one:
RépondreSupprimer<%{POSINT:pri}>%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST:logsource} %{WORD:service}: User \[(?:%{IPORHOST:user.domain})\\?%{DATA:user.name}\] from \[%{IPORHOST:source.domain}\(%{IPORHOST:source.ip}\)\] via \[%{WORD:sharing.protocol_dialect}\(%{WORD:sharing.protocol}\)\] accessed shared folder \[%{DATA:sharing.target_folder}\]