Cisco Meraki Syslog - Using Two Grok Patterns in the same filter

dts · October 11, 2018, 5:59pm

Hello,

I have created a conf with two grok patterns. When I run the conf it seems to only process the first pattern and not the second one. I have tested both pattens in a couple of online Grok sites and they both work. What am I missing to get both to work?

    filter {
           grok {

   match => ["message", "%{CISCOTIMESTAMP:timestamp} %{SYSLOGHOST:host.id} %{NUMBER:version} %{BASE10NUM:epoch_time} %{WORD:host.name} (?<log_type>[a-zA-Z0-9\-]+)([ ])? (src=)%{IP:source.ip} (dst=)%{IP:destination.ip} (mac=%{MAC:source_mac})?([ ])?(protocol=)%{WORD:network.protocol} (sport=)%{POSINT:source.port} (dport=)%{POSINT:destination.port} (pattern: )%{WORD:allowed} %{WORD:event.action}"]

   match => ["message", "%{CISCOTIMESTAMP:timestamp} %{SYSLOGHOST:host.id} %{NUMBER:version} %{BASE10NUM:epoch_time} %{WORD:host.name} (?<log_type>[a-zA-Z0-9\-]+)([ ])? %{WORD:event.action} (src=)%{IP:source.ip} (dst=)%{IP:destination.ip} (mac=%{MAC:source_mac})?([ ])?(protocol=)%{WORD:network.protocol} (sport=)%{POSINT:source.port} (dport=)%{POSINT:destination.port"]

        }

mutate {
            remove_field => [ "host" ]


            # for inbound flows, sometimes 0 and 1 are used for "allowed".
            #this statement will replace them
            gsub => [
                "allowed", "1", "denied",
                "allowed", "0", "allowed"
            ]
            # severity informational
            add_field => {"syslog_pri" => "6"}
        }

}

Makra · October 12, 2018, 4:05am

Try with the following single match block:

grok {
                match => [ 
                            "message",  "YOUR_PATTERN1" ,
                            "message",  "YOUR_PATTERN2" 
                 
                         ]
}

system · November 9, 2018, 4:05am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.