Help with my grok statement

I have this syslog output and am trying to parse it out:
Login Success [user: fshearer] [Source: 10.130.129.14] [localport: 22] at 09:46:35 PDT Fri Nov 2 2018"

Grok:
"%{NOTSPACE}%{SPACE}%{CISCO_REASON:cisco_reason}%{SYSLOG5424SD:user}%{SPACE}%{SYSLOG5424SD:source_ip}%{SPACE}%{SYSLOG5424SD:local_port}%{SPACE}%{NOTSPACE}%{SPACE}%{TIME:time}%{SPACE}%{TZ:time_zone}%{SPACE}%{CISCO_REASON:date}%{NOTSPACE}"

it gives me this in logstash:
"token" => "YgrLvkLORuxkDCmObbnhjxGAeVYutPKg",
"facility_full" => "Secure login",
"severity_level" => "5 - Notification",
"user" => "[user: fshearer]",
"@timestamp" => 2018-11-02T16:46:35.448Z,
"host" => "10.130.1.55",
"log_sequence" => "99598",
"facility" => "SEC_LOGIN",
"source_ip" => "[Source: 10.130.129.14]",
"message" => "Login Success [user: fshearer] [Source: 10.130.129.14] [localport: 22] at 09:46:35 PDT Fri Nov 2 2018",
"local_port" => "[localport: 22]",
"time" => "09:46:35",
"date" => "Fri Nov 2 ",
"facility_mnemonic" => "LOGIN_SUCCESS",
"time_zone" => "PDT",
"tags" => [
[0] "Cisco_IOS",
[1] "logon_success",
[2] "cisco-ios"
],
"log_date" => "Nov 2 16:46:35.448 UTC",
"cisco_reason" => "Success "
}

I am trying to get the following:
"user" => "fshearer" not "[user: fshearer]"
"source_ip" => "10.130.129.14" not "[Source: 10.130.129.14]"

Can someone point me in the right direction? Thanks

Nevermind figured it out. Thanks

%{CISCO_REASON}%{SYSLOG5424PRINTASCII}%{SPACE}%{USER}%{SYSLOG5424PRINTASCII}%{SPACE}%{SYSLOG5424PRINTASCII}%{SPACE}%{IP}%{SYSLOG5424PRINTASCII}%{SPACE}%{SYSLOG5424PRINTASCII}%{SPACE}%{INT}%{SYSLOG5424PRINTASCII}%{SPACE}%{WORD}%{SPACE}%{TIME}%{SPACE}%{TZ}%{SPACE}%{DAY}%{SPACE}%{MONTH}%{SPACE}%{MONTHDAY}%{SPACE}%{YEAR}

But I have noticed on the failed logins the log doesnt add a user name Login failed [user: ], how would I handle a empty space? %{USER:user}

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.