Hi All,
I'm puzzling a bit with some filter settings whereby events being sourced from a UDP input in (not really) syslog format have somewhat different characteristics. Based upon the event class generated by the Brocade switches you might seen different sections in the event lines.
As an example a normal raslog event message may show up like this:
("@timestamp":"2017-04-24T05:54:34.917Z","syslog_hostname":"Sydney_ILAB_7k81","@version":"1","host":"10.129.2.128","message":"<148>Apr 24 05:44:37 Sydney_ILAB_7k81 raslogd: 2017/04/24-05:44:37, [KSWD-1002], 363869, FFDC | WWN 10:00:00:05:33:27:de:f4 | CHASSIS, WARNING, Brocade7800, Detected termination of process 0.weblinker.fcg:22479.\n","type":"syslog","syslog_message":"raslogd: 2017/04/24-05:44:37, [KSWD-1002], 363869, FFDC | WWN 10:00:00:05:33:27:de:f4 | CHASSIS, WARNING, Brocade7800, Detected termination of process 0.weblinker.fcg:22479.\n","syslog_pri":"148"}
Take a special view in the message after "raslog:" (I highlighted it in Bold)
When a certain event falls under an auditable class it changes to this:
{"@timestamp":"2017-04-24T05:54:34.981Z","syslog_hostname":"Sydney_ILAB_7k81","@version":"1","host":"10.129.2.128","message":"<150>Apr 24 05:44:37 Sydney_ILAB_7k81 raslogd: AUDIT, 2017/04/24-05:44:37 (GMT), [HAM-1015], INFO, RAS, NONE/root/NONE/None/CLI, ad_0/Brocade7800/CHASSIS, 7.4.1e, , , , , , , Software Component weblinker (pid:22479) restarted.\n","type":"syslog","syslog_message":"raslogd: AUDIT, 2017/04/24-05:44:37 (GMT), [HAM-1015], INFO, RAS, NONE/root/NONE/None/CLI, ad_0/Brocade7800/CHASSIS, 7.4.1e, , , , , , , Software Component weblinker (pid:22479) restarted.\n","syslog_pri":"150"}
I'm not sure if this is solvable in GROK although when it is I would like some help thinking this over via regex's of some sort.
Anyone have any idea?
Thanks
Erwin