Grok parse failure despite pattern working in debugger

Elastic Stack Logstash
1

I've been getting grok parse failures for these messages.
"message": "<164>Nov 05 2019 12:46:04 NGFW1-IPICHIC : %ASA-4-434003: SFR requested to reset TCP connection from outside:13.249.87.36/443 to inside:38.142.127.155/60366\n"

They parse correctly on the different grok debuggers online however these same patterns result in grok parse failures in logstash.

my pattern is this
SFR_ACTION requested to drop|requested to reset|requested ASA to bypass further packet redirection and process

CISCOFW434003 %{WORD:module} %{SFR_ACTION:sfr_action} %{WORD:protocol} connection from %{WORD:ingress_interface}(:)?%{IPV4:src_ip}(/)?%{INT:src_port} to %{WORD:egress_interface}(:)?%{IP:dst_ip}(/)?%{INT:dst_port}

my logstash.conf
input {

Receive Cisco ASA logs on the standard syslog UDP port 514

udp {
port => "8514"
type => "cisco-asa"
}
}

filter {
if [type] == "cisco-asa" {
# Split the syslog part and Cisco tag out of the message
grok {
patterns_dir => ["/etc/logstash/conf.d/patterns/asa/patterns-asa"]
match => ["message", "%{CISCO_TAGGED_SYSLOG} %{GREEDYDATA:cisco_message}"]
}

# Parse the syslog severity and facility
syslog_pri { }

# Parse the date from the "timestamp" field to the "@timestamp" field
date {
  match => ["timestamp",
    "MMM dd HH:mm:ss",
    "MMM  d HH:mm:ss",
    "MMM dd yyyy HH:mm:ss",
    "MMM  d yyyy HH:mm:ss"
  ]
  timezone => "America/Chicago"
}

# Clean up redundant fields if parsing was successful
if "_grokparsefailure" not in [tags] {
  mutate {
    rename => ["cisco_message", "message"]
    remove_field => ["timestamp"]
  }
}


# Extract fields from the each of the detailed message types
# The patterns provided below are included in Logstash since 1.2.0
grok {
  patterns_dir => ["/etc/logstash/conf.d/patterns/asa/patterns-asa"]
  match => [
    "message", "%{CISCOFW106001}",
    "message", "%{CISCOFW106006_106007_106010}",
    "message", "%{CISCOFW106014}",
    "message", "%{CISCOFW106015}",
    "message", "%{CISCOFW106021}",
    "message", "%{CISCOFW106023}",
    "message", "%{CISCOFW106100}",
    "message", "%{CISCOFW110002}",
    "message", "%{CISCOFW111001_111007}",
    "message", "%{CISCOFW111008}",
    "message", "%{CISCOFW111010}",
    "message", "%{CISCOFW113019}",
    "message", "%{CISCOFW209005}",
    "message", "%{CISCOFW302010}",
    "message", "%{CISCOFW302013_302014_302015_302016}",
    "message", "%{CISCOFW302020_302021}",
    "message", "%{CISCOFW305011}",
    "message", "%{CISCOFW313001_313004_313008}",
    "message", "%{CISCOFW313005}",
    "message", "%{CISCOFW402117}",
    "message", "%{CISCOFW402119}",
    "message", "%{CISCOFW419001}",
    "message", "%{CISCOFW419002}",
    "message", "%{CISCOFW434002}",
    "message", "%{CISCOFW434003}",
    "message", "%{CISCOFW434004}",
    "message", "%{CISCOFW500004}",
    "message", "%{CISCOFW602303_602304}",
    "message", "%{CISCOFW710001_710002_710003_710005_710006}",
    "message", "%{CISCOFW713172}",
    "message", "%{CISCOFW722033}",
    "message", "%{CISCOFW733100}",
    "message", "%{CISCOFW737034}",
    "message", "%{CISCOFW725001_725002_725007}",
    "message", "%{CISCOFW305006}",
    "message", "%{CISCOFW321006}",
    "message", "%{CISCOFW604103}",
    "message", "%{CISCOFW771002}",
    "message", "%{CISCOFW607001}",
    "message", "%{CISCOFW305013}",
    "message", "%{CISCOFW711004}"
 ]
}



geoip {
  source => "src_ip"
  target => "geoip"
}

if "_grokparsefailure" not in [tags] {
  mutate {
    remove_field => ["message"]
  }
}

}
}

output {

elasticsearch {
hosts => ["https://localhost:9200"]
manage_template => true
ilm_enabled => "auto"
ilm_rollover_alias => "cisco-asa"
ilm_pattern => "000001"
ilm_policy => "cisco_asa_rollover_policy"
index => "logstash-asa"
#document_type => "%{type}"
#document_id => "%{fingerprint}"
}

}

2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.