I am trying to figure out which is the best way to filter a log of a sidewinnder firewall. The situation is that depending the log type the message contains more or less fields. The pattern is that always we have: fieldname=value, . Here you have an example:
<46> Nov 14 08:48:02 fw auditd: date="2018-11-14 07:48:02 +0000",fac=f_ping_proxy,area=a_aclquery,type=t_aclallow,pri=p_major,pid=5441,logid=0,cmd=pingp,hostname=fw.x.com,event="ACL allow",srcip=192.168.10.10,srczone=internal,protocol=1,dst_geo=ES,dstip=188.8.131.52,dstzone=external,rule_name="int ext surfing",cache_hit=1,reason="Traffic allowed by policy.",application=ICMP
I have tryed buldind with grok filter but there are 25 possibilities, because depending on the type and subtype it contains more fields or less and I believe that the is some way that it is easier and that will increment the performance.