I want to only keep a certain part of a syslog message as the message.
input {
udp {
port => "514"
type => "syslog-cisco"
}
tcp {
port => "514"
type => "syslog-cisco"
}
}
filter {
grok {
patterns_dir => ["../patterns"]
match => [
"message", "%{SYSLOG5424PRI}(%{NUMBER:log_sequence#})?:( %{NUMBER}:)? %{CISCOTIMESTAMPTZ:log_date}: %%{SYSLOGPROG:facility}-%{INT:severity_level}-%{SYSLOGPROG:facility_mnemonic}: %{GREEDYDATA:message}",
"message", "%{SYSLOG5424PRI}(%{NUMBER:log_sequence#})?:( %{NUMBER}:)? %{CISCOTIMESTAMPTZ:log_date}: %%{SYSLOGPROG:facility}-%{SYSLOGPROG:facility_sub}-%{INT:severity_level}-%{SYSLOGPROG:facility_mnemonic}: %{GREEDYDATA:message}"
]
overwrite => [ "message" ]
add_tag => [ "cisco-ios" ]
add_tag => [ "cisco" ]
remove_field => [ "syslog5424_pri", "@version" ]
} # grok
if "cisco-ios" not in [tags] {
mutate {
remove_tag => [ "_grokparsefailure" ]
}
grok {
patterns_dir => ["../patterns"]
match => [
"message", "%{SYSLOG5424PRI}(%{HOSTNAME:hostname})?:( \*%{SYSLOGPROG:facility}:) (%{CISCOTIMESTAMP:log_date}:) (%%{SYSLOGPROG:facility_sub}:) %{GREEDYDATA: message}"
]
overwrite => [ "message" ]
add_tag => [ "cisco-wlc" ]
add_tag => [ "cisco" ]
remove_field => [ "@version", "program" ]
} # grok
} # if
} # filter
output {
elasticsearch {
hosts => ["localhost:9200"]
index => "network-%{+YYYY.MM.dd}"
}
}
In the firstt grok{} it works, and only %{GREEDYDATA:message} gets assigned to message in the overwrite, but for some reason, it is not happening with the second one.
Why?
EDIT:
This is what the syslog message for the second grok{} looks like:
<182>HOST001: *radiusTransportThread: Nov 10 10:02:22.149: %AAA-6-RADIUS_IN_GLOBAL_LIST: [PA]radius_db.c:426 RADIUS server 172.20.1.84:1813 activated in global list