Can someone help with filter logic of my log file

This is my sample log.

May 21 13:21:48 Network Log: NSD FAIL WAN[1]
May 21 13:21:58 Network Log: NSD SUCCESS WAN[1]
May 21 13:32:45 User Log: User cisco login failed.
May 21 13:33:03 User Log: User cisco login success from 192.168.100.106
May 21 13:33:57 User Log: User cisco login success from 192.168.100.106
May 21 13:34:39 Network Log: NSD FAIL WAN[1]
May 21 13:34:59 Network Log: NSD SUCCESS WAN[1]
May 21 13:36:58 VPN Log: (Tunnel disconnect) ,in=0,src=,got IP=192.168.100.150 cause : link disconnect
May 21 13:37:23 VPN Log: Terminating on signal 15
May 21 13:37:29 VPN Log: Connection terminated.
May 21 13:37:29 VPN Log: Modem hangup
May 21 13:37:29 VPN Log: Exit.
May 21 13:37:49 VPN Log: (Tunnel established) user1,in=0,src=10.11.12.13,got IP=192.168.100.150
May 21 13:37:52 VPN Log: MPPE 128-bit stateless compression enabled
May 21 13:37:52 VPN Log: local LL address fe80::94cc:380b:d430:127f
May 21 13:37:52 VPN Log: remote LL address fe80::1853:0ed298cf:9bb9
May 21 13:37:53 VPN Log: found interface eth0 for proxy arp
May 21 13:37:53 VPN Log: local IP address 192.168.100.1
May 21 13:37:53 VPN Log: remote IP address 192.168.100.150
May 21 13:37:59 Network Log: NSD FAIL WAN[1]
May 21 13:38:10 Network Log: NSD SUCCESS WAN[1]
May 21 13:43:10 User Log: User cisco Session Expired
May 21 13:43:47 VPN Log: No response to 5 echo-requests
May 21 13:43:47 VPN Log: Serial link appears to be disconnected.
May 21 13:43:47 VPN Log: Connect time 5.9 minutes.
May 21 13:43:47 VPN Log: Sent 1330585 bytes, received 107319 bytes.
May 21 13:43:47 VPN Log: MPPE disabled
May 21 13:43:47 VPN Log: (Tunnel disconnect) user1,in=0,src=10.11.22.33,got IP=192.168.100.150 cause : log out
May 21 13:43:50 VPN Log: (Tunnel disconnect) user1,in=0,src=10.11.12.13,got IP=192.168.100.150 cause : log out
May 21 13:43:50 VPN Log: Connection terminated.
May 21 13:43:50 VPN Log: Connect time 5.9 minutes.
May 21 13:43:50 VPN Log: Sent 1330585 bytes, received 107319 bytes.
May 21 13:43:51 VPN Log: Modem hangup
May 21 13:44:21 VPN Log: Exit.

After Log: part i am concerned about src ip and cause.

I am trying

filter{
      grok {
           match => {
                 "message" => "%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST:logsource} %{PROG:program}.*src=%{IP:IP}.*: %{GREEDYDATA:Reason}"
           }
      }
 }

The IP is followed by a comma, not ": ". Try

"message" => "^%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST:logsource} %{PROG:program}.*src=%{IP:IP},%{GREEDYDATA:Reason}"

Anchoring your pattern with ^ will give you better performance.

If i use this pattern some lines will get grok pattern failure.So how can i make sure that this pattern is matched only in specific lines.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.