Cisco Meraki Syslog - Using Two Grok Patterns in the same filter


I have created a conf with two grok patterns. When I run the conf it seems to only process the first pattern and not the second one. I have tested both pattens in a couple of online Grok sites and they both work. What am I missing to get both to work?

    filter {
           grok {

   match => ["message", "%{CISCOTIMESTAMP:timestamp} %{} %{NUMBER:version} %{BASE10NUM:epoch_time} %{} (?<log_type>[a-zA-Z0-9\-]+)([ ])? (src=)%{IP:source.ip} (dst=)%{IP:destination.ip} (mac=%{MAC:source_mac})?([ ])?(protocol=)%{WORD:network.protocol} (sport=)%{POSINT:source.port} (dport=)%{POSINT:destination.port} (pattern: )%{WORD:allowed} %{WORD:event.action}"]

   match => ["message", "%{CISCOTIMESTAMP:timestamp} %{} %{NUMBER:version} %{BASE10NUM:epoch_time} %{} (?<log_type>[a-zA-Z0-9\-]+)([ ])? %{WORD:event.action} (src=)%{IP:source.ip} (dst=)%{IP:destination.ip} (mac=%{MAC:source_mac})?([ ])?(protocol=)%{WORD:network.protocol} (sport=)%{POSINT:source.port} (dport=)%{POSINT:destination.port"]


mutate {
            remove_field => [ "host" ]

            # for inbound flows, sometimes 0 and 1 are used for "allowed".
            #this statement will replace them
            gsub => [
                "allowed", "1", "denied",
                "allowed", "0", "allowed"
            # severity informational
            add_field => {"syslog_pri" => "6"}


Try with the following single match block:

grok {
                match => [ 
                            "message",  "YOUR_PATTERN1" ,
                            "message",  "YOUR_PATTERN2" 

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.