Hello !
I'm working on Cisco WSA logs. Some fields are optionnal. In particular, the filed which contains username infomation: sometimes we have "DOMAIN\smith@AD" and sometimes we have just -
When username is present, all is ok. But when username is "-", I can't parse what is following
Log sample with no issue :
<14>May 06 08:31:53 ACCESS_LOGS: Info: 1620282712.713 0 10.31.199.115 TCP_DENIED/407 0 CONNECT tunnel://nexus.officeapps.live.com:443/ "CORP\smith@AD1" DATA1
Grok pattern :
<%{POSINT:syslog_pri}>(%{SYSLOGTIMESTAMP:syslog_timestamp}) %{WORD:log_type}: %{WORD:syslog_facility}: %{NUMBER:timestamp} %{INT:elaspsed_time} %{IP:client_ip} %{WORD:result_code}/%{NUMBER:response_code} %{NUMBER:response_size} %{WORD:http_method} (%{URIPROTO:http_protocol}://)?%{IPORHOST:dst_host}(?::%{POSINT:port})?(?:%{NOTSPACE:uri_param})? ("%{WORD:Domain}\\%{USERNAME:user}@%{WORD:DomainController}")? %{WORD:TESTDATA}
Log sample with issue :
<14>May 06 08:31:53 ACCESS_LOGS: Info: 1620282712.713 0 10.31.199.115 TCP_DENIED/407 0 CONNECT tunnel://nexus.officeapps.live.com:443/ - DATA1
=> no match on grok debug
Thanks for your help