My apologies. These are my sample log messages-
05/25-12:03:17.905976 [**] [1:100001:1] ICMP Ping Detected [**] [Priority: 0] {IPV6-ICMP} fe80::20c:29ff:feba:be38 -> ff02::1
05/25-12:03:17.914533 [**] [1:100001:1] ICMP Ping Detected [**] [Classification: a i l] [Priority: 0] {IPV6-ICMP} fe80::20c:29ff:feca:579 -> ff02::16
ANd this is the pattern that works for the @nd entre but not the first one.
%{MONTHNUM:month}\/%{MONTHDAY:day}-%{HOUR:hour}:%{MINUTE:minute}:%{SECOND:second}\s+\[\*\*\] \[%{INT:ids_gid}:%{INT:ids_sid}:%{INT:ids_rev}\]\s+%{DATA:ids_proto}\s+\[\*\*\] \[.*?: %{DATA:Classification}\] \[.*?: %{INT:Priority}\] \{%{DATA:data}} %{IP:dst_ip} .*?> %{IP:dest_port}
It is due to the presence of the field "classification". how do I get it to work for both?