Need help constructing grok pattern for the snort alert log file. I have the so far, but the output is incomplete -



why are the fields from priority onwards not extracted?
05/25-12:03:17.905976  [**] [1:100001:1] ICMP Ping Detected [**] [Priority: 0] {IPV6-ICMP} fe80::20c:29ff:feba:be38 -> ff02::1
05/25-12:03:17.914533  [**] [1:100001:1] ICMP Ping Detected [**] [Classification: a i l] [Priority: 0] {IPV6-ICMP} fe80::20c:29ff:feca:579 -> ff02::16

ANd this is the pattern that works for the @nd entre but not the first one.

%{MONTHNUM:month}\/%{MONTHDAY:day}-%{HOUR:hour}:%{MINUTE:minute}:%{SECOND:second}\s+\[\*\*\] \[%{INT:ids_gid}:%{INT:ids_sid}:%{INT:ids_rev}\]\s+%{DATA:ids_proto}\s+\[\*\*\] \[.*?: %{DATA:Classification}\] \[.*?: %{INT:Priority}\] \{%{DATA:data}} %{IP:dst_ip} .*?> %{IP:dest_port}

It is due to the presence of the field "classification". how do I get it to work for both?

You can make a field (and related whitespace) option by surrounding them with ()?, which means zero-or-more-of.

grok { match => { "message" => "%{MONTHNUM:month}\/%{MONTHDAY:day}-%{HOUR:hour}:%{MINUTE:minute}:%{SECOND:second}\s+\[\*\*\] \[%{INT:ids_gid}:%{INT:ids_sid}:%{INT:ids_rev}\]\s+%{DATA:ids_proto}\s+\[\*\*\] (\[.*?: %{DATA:Classification}\] )?\[.*?: %{INT:Priority}\] \{%{DATA:data}} %{IP:dst_ip} .*?> %{IP:dest_port}" } }

If there are more variants then you might want to take an alternate approach. Perhaps something like this.

This works. Thank you so much!

