Hi all,
I've been writing up some grok patterns to match some Cisco FirePower logs however due to the data in the logs, it sometimes matching against other patterns and making results inaccurate.
I've got the below config (data extracted for easier reading)
filter {
if "firepower" in [tags] {
grok {
match => [
"message", "AccessControlRuleAction: %{DATA:aclRuleAction}, UserName: %{WORD:username}, Client: %{DATA:client}, ApplicationProtocol: %{WORD:appProtocol}, InitiatorPackets: %{NUMBER:initPackets}",
"message", "AccessControlRuleAction: %{DATA:aclRuleAction}, InitiatorPackets: %{NUMBER:initPackets}"
]
}
}
}
Example log line:
AccessControlRuleAction: Allow, UserName: testuser, Client: SSL client, ApplicationProtocol: HTTPS, InitiatorPackets: 3
The problem I'm finding is that this parsing the data as follows:
AccessControlRuleAction: Allow, UserName: testuser, Client: SSL client, ApplicationProtocol: HTTPS,
InitiatorPackets: 3
Expected result:
AccessControlRuleAction: Allow
UserName: testuser
Client: SSL client
ApplicationProtocol: HTTPS
InitiatorPackets: 3
Is there any reason why the grok pattern isn't matched in order ? There are other log lines that match the 2nd pattern hence why I can't remove this.
Is there any workarounds for something like this?
Any help would be appreciated.
Cheers,