Grok Filter Error

Hi

I am a bit newbie here but i am trying to parse one of the syslog message IDs for cisco ASA.

the syslog message id is 609001

input {
        stdin {}
 }

filter {
        grok {
                match => [ "message", "%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{IP:hosts}%{SPACE}:%{CISCOTIMESTAMP}%{SPACE}UTC:%{SPACE}%ASA-session-7-609001: Built local-host %{HOSTNAME:complex}:%{IP:src_ip}" ]
        }

output {
  stdout {  }
}

Sample logs are

 2018-02-08T13:00:02+05:30 10.199.197.130 :Feb 08 07:30:03 UTC: %ASA-session-7-609001: Built local-host INSIDE-CGO-IP:10.23.49.157
2018-02-08T13:00:02+05:30 10.199.197.130 :Feb 08 07:30:03 UTC: %ASA-session-7-609001: Built local-host INSIDE-CGO-IP:10.23.49.63
2018-02-08T13:00:02+05:30 10.199.197.130 :Feb 08 07:30:04 UTC: %ASA-session-7-609001: Built local-host INSIDE-DPPQS:10.23.89.27
2018-02-08T13:00:02+05:30 10.199.197.130 :Feb 08 07:30:03 UTC: %ASA-session-7-609001: Built local-host INSIDE-CGO-IP:10.23.49.202
2018-02-08T13:00:02+05:30 10.199.197.130 :Feb 08 07:30:03 UTC: %ASA-session-7-609001: Built local-host INSIDE-CGO-IP:10.23.49.171
2018-02-08T13:00:02+05:30 10.199.197.130 :Feb 08 07:30:04 UTC: %ASA-session-7-609001: Built local-host INSIDE-DPPQS:10.23.89.27
2018-02-08T13:00:02+05:30 10.199.197.130 :Feb 08 07:30:03 UTC: %ASA-session-7-609001: Built local-host INSIDE-CGO-IP:10.23.49.145
2018-02-08T13:00:02+05:30 10.199.197.130 :Feb 08 07:30:03 UTC: %ASA-session-7-609001: Built local-host INSIDE-CGO-IP:10.23.49.193
2018-02-08T13:00:02+05:30 10.199.197.130 :Feb 08 07:30:03 UTC: %ASA-session-7-609001: Built local-host INSIDE-CGO-IP:10.23.49.89

Edit 1: Damn my mistake figured it out left out a "}"

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.