Hey Team, trying to match my watchguard logs. Depending on the log entry the format varies pretty wildly so I have a few different matches set up. Problem is matching a new entry I'm working on is...too generic? And so it matches everything.
Generic entry:
HA-M300Active (2020-04-07T00:36:11) sessiond[2325]: process status xpath /toSessiond/updateActivity
Working fine:
HA-M300Active (2020-04-06T22:35:53) firewall: msg_id="3000-0151" Allow 1-LAN-P1 6-Internet-P6 udp 10.1.2.2 8.8.8.8 45410 53 duration="30" sent_bytes="59" rcvd_bytes="91" (Allow Out - DNS-00)
Here's how I am matching it now, and I guess I just need to learn how to be more specific.
%{IPORHOST:syslog_host} \(%{TIMESTAMP_ISO8601:log_date}\) %{SYSLOGPROG}: %{DATA:content}
So that matches, and puts the "process status xpath /toSessiond/updateActivity" in the content entry. But the other entry ends up with this as "content":
msg_id="3000-0151"
And of course this is all tossed away:
Allow 1-LAN-P1 6-Internet-P6 udp 10.1.2.2 8.8.8.8 45410 53 duration="30" sent_bytes="59" rcvd_bytes="91" (Allow Out - DNS-00)
I tried putting the less specific match last but that doesn't seem to have helped.
Help?