i have the grok patterns for cisco switches but not for arista. what those could be?
Here's cisco's for an example:
filter {
##########################
# General section
##########################
grok {
match => [
"message", "<%{NONNEGINT:syslog_pri}>\d+: (%{SYSLOGHOST:device}: )?\*?\.?(\d+: )?%{CISCOTIMESTAMP:log_date}(\s+%{WORD})?: (%%{CISCO_REASON:vendor_facility}-%{INT}-%{CISCO_REASON:vendor_facility_process}: )?%{GREEDYDATA:log_message}"
]
add_tag => ["ios_parsed"]
}
syslog_pri { }
##########################
# Config Audit section
##########################
if "ios_parsed" in [tags] and "PARSER" in [vendor_facility] {
grok {
match => {
"log_message" => "User:%{USER:username}\s+logged command:%{GREEDYDATA:command_used}"
}
tag_on_failure => ["_grokparsefailure", "_configauditparsefailure"]
}
}
############################
# Interface status section
############################
if "ios_parsed" in [tags] and "LINEPROTO" in [vendor_facility] and "UPDOWN" in [vendor_facility_process] {
grok {
match => {
"log_message" => "Line\s+protocol\s+on\s+Interface\s+%{DATA:interface},\s+changed\s+state\s+to\s+%{WORD:interface_state}"
}
tag_on_failure => ["_grokparsefailure", "_interfaceparsefailure"]
}
}
###################################
# OSPF Adjacency change section
###################################
if "ios_parsed" in [tags] and "OSPF" in [vendor_facility] and "ADJCHG" in [vendor_facility_process] {
grok {
match => {
"log_message" => "Process\s+%{NUMBER:ospf_instance},\s+Nbr\s+%{IP:ospf_neighbor}\s+on\s+%{DATA:ospf_interface}\s+from\s+%{DATA:before_ospf_state}\s+to\s+%{DATA:after_ospf_state},\s+%{GREEDYDATA:opsf_state_action_result}"
}
tag_on_failure => ["_grokparsefailure", "_ospfparsefailure"]
}
}
}
I managed to build a simple general parser. But i would not like to rely on it and something more advanced will require too much time for me. Im sure its been done before sadly my googling skills are not good enough to find them myself.