Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Grok assigns the wrong names to captures under some conditions #29

Open
jordansissel opened this issue May 17, 2015 · 2 comments
Open

Grok assigns the wrong names to captures under some conditions #29

jordansissel opened this issue May 17, 2015 · 2 comments
Labels
bug

Comments

@jordansissel
Copy link
Contributor

(This issue was originally filed by @TheFlimFlam at elastic/logstash#2072)

Description:
Composing grok patterns that share named captures will result in names to bind to the wrong capture in the context of the composition.

Reproduction steps:
Setup the following patterns file (/etc/logstash/patterns/general/test-patterns)

SSH_KEYFILE_ERROR (?<tags>error): (?<failure>Could not load host key): %{PATH:keyfile}
SSH_PASSWORD_FAIL (?<failure>Failed password) for %{USER:username} from %{IPORHOST:clientip} port %{INT:port} %{WORD:protocal}
AUTH_SSH          (%{SSH_KEYFILE_ERROR}|%{SSH_PASSWORD_FAIL})

Run the patterns file using the following logstash config

input {
    generator {
        count   => 1
        message => "Nov 14 14:50:23 puppet sshd[36930]: Failed password for magicaluser from 127.0.0.1 port 43333 ssh2"
    }
}

output {
    stdout { codec => "rubydebug" }
}

filter {
    grok {
        patterns_dir => '/etc/logstash/patterns/general/test-patterns'
        match => [ "message", "%{AUTH_SSH}" ]
    }
}

Will print the following to standard out:

{
       "message" => "Nov 14 14:50:23 puppet sshd[36930]: Failed password for magicaluser from 127.0.0.1 port 43333 ssh2",
      "@version" => "1",
    "@timestamp" => "2014-11-14T03:16:26.831Z",
          "host" => "1051a1523d6e",
      "sequence" => 0,
      "username" => "Failed password",
      "clientip" => "magicaluser",
      "protocal" => "43333"
}

Expected output:

  • A field should exist called failure which captures the text 'Failed password'
  • The field username should contain the text 'magicaluser'
@jordansissel jordansissel mentioned this issue May 17, 2015
Closed
@jordansissel
Copy link
Contributor Author

I agree with you on the expected output. This behavior seems like a new bug, which may be expected given we did some internal changes to the grok library to improve performance and may have broken something.

I'd like to get some tests that show this bad behavior so we can ensure it stays fixed in the future.

@jordansissel
Copy link
Contributor Author

I haven't yet confirmed this. Not sure if anyone else has reproduced it either.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jordansissel