I would like to somehow add a separate field called client for example using the %{IPV4}, is this possible or do I need to create a custom pattern which includes %{IPV4}
I take it it's not so i'd like to just confirm that.
On the topic of custom patterns, what would be the best way to set them up if I've got a range of syslog messages all different, would I just log all the different types and create a pattern for each?
I've been trying to keep it as simple as possible so I noticed
%{TIMESTAMP_ISO8601} should match my timestamp but when I test it in grok debugger the seconds are null so I tried something like this:
Once I get to the "System Detected UDP port scan attack, scan packet from.." do I just keep using WORD pattern here until I reach IPV4? or (?[a-zA-Z\s,.]
I should be able to get it working but there are other types of messages that get sent from this device and some contain the ip address in the middle, or not at all. I take it I will need to capture each difference and match it from scratch until I have all the different patterns?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
