Grok pattern match order

Hi all,

I've been writing up some grok patterns to match some Cisco FirePower logs however due to the data in the logs, it sometimes matching against other patterns and making results inaccurate.

I've got the below config (data extracted for easier reading)

filter {

 if "firepower" in [tags] { 
  grok {
   match => [
     "message", "AccessControlRuleAction: %{DATA:aclRuleAction}, UserName: %{WORD:username}, Client: %{DATA:client}, ApplicationProtocol: %{WORD:appProtocol}, InitiatorPackets: %{NUMBER:initPackets}",
     "message", "AccessControlRuleAction: %{DATA:aclRuleAction}, InitiatorPackets: %{NUMBER:initPackets}"
     ]
  }
 }
}

Example log line:

AccessControlRuleAction: Allow, UserName: testuser, Client: SSL client, ApplicationProtocol: HTTPS, InitiatorPackets: 3

The problem I'm finding is that this parsing the data as follows:

AccessControlRuleAction: Allow, UserName: testuser, Client: SSL client, ApplicationProtocol: HTTPS,
InitiatorPackets: 3

Expected result:

AccessControlRuleAction: Allow
UserName: testuser
Client: SSL client
ApplicationProtocol: HTTPS
InitiatorPackets: 3

Is there any reason why the grok pattern isn't matched in order ? There are other log lines that match the 2nd pattern hence why I can't remove this.
Is there any workarounds for something like this?

Any help would be appreciated.

Cheers,

1 Like

Using 6.2.x I am unable to reproduce this using the filter and input you gave. It matches the first pattern and breaks on match.

As a workaround you could split it into two groks and make the second one conditional on the tag _grokparsefailure.

Hey,

I've managed to fix it now. Turns out the end to the full pattern wasn't correct.

Sorry to have wasted your time :frowning_face:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.