I am trying to extract only the last part of a Linux log using Grok Patterns in Graylog, but it's harder than I tought.
Here's the message that I receive:
Mar 18 11:10:01 graylog CRON[14637]: pam_unix(cron:session): session closed for user root
I only want to keep date, time and the "session closed for user root" part.
This is what I tried, without results:
%{GREEDYDATA} pam_unix(cron:session):
%{GREEDYDATA} session closed for user root
%{MONTH} %{BASE10NUM} %{TIME} %{GREEDYDATA}graylog CRON[18698]: pam_unix(cron:session):
Maybe I am still using "greedydata" wrong(?), any help would be greatly appreciated!
Aucun commentaire:
Enregistrer un commentaire