_grokparsefailure even though the right patterns are there


iam trying to build a syslog solution for my firewall.

I had built this two patterns:

CISCOFW710006 %{WORD:protocol} (?:request|access) %{CISCO_ACTION:action} from %{IP:src_ip} to %{DATA:dst_interface}:%{IP:dst_ip}

CISCOFW710005 %{WORD:protocol} (?:request|access) %{CISCO_ACTION:action} from %{IP:src_ip}/%{INT:src_port} to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port}

In the grok debugger is the first pattern matching with this cisco_message:
VRRP request discarded from to OUTSIDE:

The second pattern matches with this cisco_message:
UDP request discarded from to DMZ703:

But if i try to use both pattern as a match like here:
grok { patterns_dir => ["/etc/logstash/conf.d/custom_patterns"] break_on_match => false match => [ "cisco_message", "%{CISCOFW710005}", "cisco_message", "%{CISCOFW710006}", "cisco_message", "%{CISCOFW106016}", "cisco_message", "%{CISCOFW106017}", "cisco_message", "%{CISCOFW725001}" ]

then i get a _grokparsefailure.

If i use only one of the patterns then it works.

It seems like the CISCOFW710005 pattern is also matching the other message but not completly but it tries and uses the false insted of the right pattern.

Has anybody a idea?

Best Regards


Nobody a Idea?

This means that all patterns listed will be attempted, and processing will not stop when there is a match. Can a message match multiple patterns? If not, you should change this to true.

Post a example .

These value break_on_match => false
was only a test value. It is also not functioning without.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.