How to Logstash gork filter with different infos in syslog message field

jiona · March 11, 2018, 10:53pm

After reading some documents and testings, the following easy filter works for me (without _grokparsefailure):

filter {
if [type] == "syslog" {
grok {
match => { "message" => "\|%{IPV4:Dst-IP}\|%{INT:Dst-Port}\|%{USERNAME:Dst-Service}\|%{WORD:Dst-Inf}\|%{WORD:Rule-Name}"}
match => { "message" => "\|%{IPV4:Dst-IP}\|%{INT:Dst-Port}\|%{USERNAME:Dst-Service}\|\|%{WORD:Rule-Name}"}
match => { "message" => "\|%{IPV4:Dst-IP}\|%{INT:Dst-Port}\|\|\|%{WORD:Rule-Name}"}
}
}
}

Kind regards
Jiona

Topic		Replies	Views
Syslog additional fields Logstash	8	2915	July 6, 2017
Grok filter multiple match Logstash	4	19084	October 31, 2019
What is wrong in my grok filter work for logstash? Logstash	8	924	July 6, 2017
Trying to grok a watchguard Logstash	3	1908	August 23, 2018
Logstash Grok Pattern Watchguard Firewall Elasticsearch	7	1005	October 13, 2023

How to Logstash gork filter with different infos in syslog message field

Related topics