Grokparsefailure after some filter in my logstash configuration

orsa · July 20, 2016, 6:32am

i have some log from my network devices. log send to Logstash after some filter with log, i have "grokparsefailure".

logstash conf

grok {
        match => { "message" => "^[a-z0-9,]* %{GREEDYDATA:message}" }
        overwrite => [ "message" ]
}

multiline {
        source => "message"
        pattern => "^(TCP)|(first L2TP)"
        negate => false
        what => next
        max_age => "2"
}
mutate {
        gsub => ["message", "\n", " "]
}

message from susseful PPTP VPN client login

if ( [message] =~ /^TCP.*(logged\sin,)/) {
        grok {
                match => { "message" => " %{PPTPVPNCLIENTIN} " }
                add_field => { "[microtik][vpnclientauth]" => "login susseful" }
        }
}

grok pattern

PPTPVPNCLIENTIN TCP connection established from %{IPV4:[microtik][vpnclientsourceip]} %{USERNAME:[microtik][username]} logged in, %{IPV4:[microtik][vpnclientinternalip]}

original log

"pptp,info TCP connection established from realIP"
"pptp,ppp,info,account username logged in, localIP"

rubydebug output

{
       "message" => "TCP connection established from reaiIP username logged in, localIP",
      "@version" => "1",
    "@timestamp" => "date/time",
          "type" => "mtsl",
          "host" => "ip",
    },
          "tags" => [
        [0] "multiline",
        [1] "_grokparsefailure"
    ]
}

i think it my simple error in syntax, but can`t find it (

orsa · July 20, 2016, 4:55pm

Realy simple )

in string
match => { "message" => " %{PPTPVPNCLIENTIN} " }
i foget remove space before and after my patern
all work good )))