Cisco_reason pattern not working

sreejiths · August 1, 2017, 2:59pm

I am quite new to ELk , we are testing ELK V5.2 in out testing environment for Network syslog analytics . We face an issue while creating logstash conf that pattern "CISCO_RESON" is not been identifed even when its defined in patterns directory . Due to this all Cisco logs is getting grok parse failure . Its identifying CISCOTIMESTAMPTZ & SYSLOG5424PRI defined in same patterns directory .Please help on this ..

Grok
%{SYSLOG5424PRI}(%{NUMBER:log_sequence#})? %{NUMBER}:)? %{CISCOTIMESTAMPTZ:log_date}: %%{CISCO_REASON:facility}-%{INT:severity_level}-%{CISCO_REASON:facility_mnemonic}: %{GREEDYDATA:message}
Pattern file
CISCOTIMESTAMPTZ %{CISCOTIMESTAMP}( %{TZ})?
NEXUSTIMESTAMP %{YEAR} %{MONTH} %{MONTHDAY} %{TIME}( %{TZ})?
CISCO_REASON Duplicate TCP SYN|Failed to locate egress interface|Invalid transport field|No matching connection|DNS Response|DNS Query|(?:%{WORD}\s*)*

Benoit_Martin · August 17, 2017, 8:44pm

I have the same problem. Can you share the solution if you already find it please.

Thank you!

system · September 14, 2017, 8:45pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
_grokparsefailure even though the right patterns are there Logstash	5	648	August 17, 2017
_grokparsfailure on core patterns Logstash	10	1446	January 19, 2017
Grok parse failure despite pattern working in debugger Logstash	1	556	December 3, 2019
Need help - Cisco syslog events matching in GROK debugger but not showing up in Logstash	8	618	August 29, 2021
Pattern Cisco-ASA syslog message : Grokparsefailure ASA410001 ASA313005 Logstash	4	3169	July 6, 2017

Cisco_reason pattern not working

Related topics