Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    telegraf GROK pattern matching issues

    Scheduled Pinned Locked Moved pfSense Packages
    1 Posts 1 Posters 861 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jlw52761
      last edited by

      I have pfBlocker enabled with GEOIP blocking, and I've been able to get the DNSBL logs to parse and go into InfluxDB. The issue I'm h[0_1564446396094_sanatizedlogsample.csv](Uploading 0%) aving is I can't seem to get this to work for the ip_block.log and was hoping some GROK guru would be willing to give some advice.

      I've used https://grokdebug.herokuapp.com/ and it says I have a valid GROK pattern, so not sure what I'm missing.

      My telegraf.conf entry is as follows, with sample data (sanatizedlogsample.zip) attached.

      [[inputs.logparser]]
  files = ["/var/log/pfblockerng/ip_block.log"]
  from_beginning=true
  [inputs.logparser.grok]
    measurement = "ipblock_log"
    patterns = ["^%{SYSLOGTIMESTAMP:timestamp},%{GREEDYDATA:tracker_id},%{WORD:interface},%{WORD:interface_name},%{WORD:action},%{WORD:ipversion},%{WORD:protocol_id},%{WORD:protocol},%{GREEDYDATA:src_ip},%{GREEDYDATA:dst_ip},%{GREEDYDATA:src_port>},%{GREEDYDATA:dst_port},%{WORD:dst_port_dir},%{WORD:country_code},%{WORD:alias_name},%{GREEDYDATA:ip_evaluated},%{WORD:feed_name},%{GREEDYDATA:resolved_hostname},%{WORD:client_hostname},%{WORD:asn},%{GREEDYDATA:hitormiss}"]
    timezone = "Local"
    [inputs.logparser.tags]
      value = "2"

      The target is InfluxDB,not sure if that makes a difference or not.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.