How to Logstash gork filter with different infos in syslog message field

Hi All,

I want to parse a firewall syslog stream.
Depends on firewall action the syslog message field contains additional information like the outbound interface or the service-name of well known ports or not.

I have three examples:

Do I need for each type a single gork filter (like below) and how I have to configure the gork filter finaly.

Many thanks in advance.

A single grok filter can list multiple expressions. They will be tried in order. There's an example in the grok filter documentation.

Thats sounds good.
Can you share a link where I can find this information.

In the documentation I found following example to match multiple patterns against a single field.

filter {
grok { match => { "message" => [ "Duration: %{NUMBER:duration}", "Speed: %{NUMBER:speed}" ] } }

But I have no idea how to configure my filter based on this example.
I apologize because I'm new with gork and regex.

You already have three grok expressions. Just list them in the grok filter as in the example.

Thanks @magnusbaeck.

After reading some documents and testings, the following easy filter works for me (without _grokparsefailure):

filter {
if [type] == "syslog" {
grok {
match => { "message" => "\|%{IPV4:Dst-IP}\|%{INT:Dst-Port}\|%{USERNAME:Dst-Service}\|%{WORD:Dst-Inf}\|%{WORD:Rule-Name}"}
match => { "message" => "\|%{IPV4:Dst-IP}\|%{INT:Dst-Port}\|%{USERNAME:Dst-Service}\|\|%{WORD:Rule-Name}"}
match => { "message" => "\|%{IPV4:Dst-IP}\|%{INT:Dst-Port}\|\|\|%{WORD:Rule-Name}"}

Kind regards

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.