Hey,
iam trying to build a syslog solution for my firewall.
I had built this two patterns:
CISCOFW710006 %{WORD:protocol} (?:request|access) %{CISCO_ACTION:action} from %{IP:src_ip} to %{DATA:dst_interface}:%{IP:dst_ip}
CISCOFW710005 %{WORD:protocol} (?:request|access) %{CISCO_ACTION:action} from %{IP:src_ip}/%{INT:src_port} to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port}
In the grok debugger is the first pattern matching with this cisco_message:
VRRP request discarded from 190.12.13.14 to OUTSIDE:224.0.0.18
The second pattern matches with this cisco_message:
UDP request discarded from 192.168.1.1/64523 to DMZ703:255.255.255.255/69
But if i try to use both pattern as a match like here:
grok { patterns_dir => ["/etc/logstash/conf.d/custom_patterns"] break_on_match => false match => [ "cisco_message", "%{CISCOFW710005}", "cisco_message", "%{CISCOFW710006}", "cisco_message", "%{CISCOFW106016}", "cisco_message", "%{CISCOFW106017}", "cisco_message", "%{CISCOFW725001}" ]
then i get a _grokparsefailure.
If i use only one of the patterns then it works.
It seems like the CISCOFW710005 pattern is also matching the other message but not completly but it tries and uses the false insted of the right pattern.
Has anybody a idea?
Best Regards
Daniel