Logstash Grok filter Not working

Elk_huh · January 27, 2026, 8:34pm

<181>Jan 28 14:49:00 cisco CISE_RADIUS_Accounting 0001444968 1 0 2026-01-28 14:49:00.791 +00:00 0794387998 3002 NOTICE Radius-Accounting: RADIUS Accounting watchdog update, ConfigVersionId=312, Device IP Address=1.1.1.1, UserName=asdwe, NetworkDeviceName=ASD-3451-02, 
User-Name=asdasdasda, NAS-IP-Address=1.1.1.1, NAS-Port=234, Framed-IP-Address=1.1.1.1, Class=CACS:fsdfdsfsdfsdfsdf:2344/546510917/40333559, Called-Station-ID=00-00-00-00-000, Calling-Station-ID=00-00-00-00-000, NAS-Identifier=aasd-asdasd-02, Acct-Status-Type=Interim-Update, 
Acct-Delay-Time=0, Acct-Input-Octets=4866172, Acct-Output-Octets=2952901, Acct-Session-Id=00018c74, Acct-Authentic=Remote, Acct-Input-Packets=7953, Acct-Output-Packets=4770, Acct-Input-Gigawords=0, Acct-Output-Gigawords=0, Event-Timestamp=1769611740, NAS-Port-Type=Wireless - IEEE 
802.11, NAS-Port-Id=asdasd-234234, Framed-IPv6-Address=123::144b:234:sdf:234, cisco-av-pair=audit-session-id=5BFD290A0007313704E493AF, cisco-av-pair=vlan-id=111, cisco-av-pair=method=dot1x, cisco-av-pair=cisco-wlan-ssid=MOBILE, cisco-av-pair=wlan-profile-name=MOBILE, 
Airespace-Wlan-Id=123, AcsSessionID=sdf123/546510917/40338310, SelectedAccessService=ALLOWED, RequestLatency=3, Step=11004, Step=11017, Step=15049, Step=15008, Step=22085, Step=11005, NetworkDeviceGroups=Location#All Locations#asdasdas#asdasdasdasd GR, NetworkDeviceGroups=Device 
Type#All Device Types#WIRELESS, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, CPMSessionID=5BFD290A0007313704E493AF, StepLatency=1=0;2=1;3=0;4=2;5=0, TotalAuthenLatency=3, ClientLatency=0, Network Device Profile=Cisco, Location=Location#All Locations#asdsa#asdsadasd GR, Device 
Type=Device Type#All Device Types#WIRELESS, IPSEC=IPSEC#Is IPSEC Device#No,

Both these If statements dont work

filter looks like this

filter {
if  "CISE" in [message]
{
grok {
match => { "message" => "<%{INT:priority}>%{SYSLOGTIMESTAMP:syslog_ts} %{HOSTNAME:hostname} %{WORD:program} %{INT:session_id} %{INT:flag1} %{INT:flag2} %{TIMESTAMP_ISO8601:timestamp} %{INT:offset}:%{INT:code} %{INT:subcode} %{INT:subcode2} %{LOGLEVEL:log_level}\s+%{WORD:Profiler}: %{DATA:Profiler1}, %{GREEDYDATA:restOfLine}" }
}
kv {
source => "restOfLine"
field_split => ","
trim_key => " "
value_split => "="
}
mutate {
remove_field => [ "message", "restOfLine" ]
add_field => { "devicevendor" => "cisco" }
add_field => { "deviceproduct" => "ise" }
}

}

else if  "CISE" in [message]
{
grok {
match => {  "message" =>  "^<%{INT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_timestamp} %{HOSTNAME:host} %{WORD:ise_service} %{INT:msg_id} %{INT} %{INT} %{TIMESTAMP_ISO8601:event_time} %{INT:sequence} %{INT:message_code} %{LOGLEVEL:log_level} Radius-Accounting: %{GREEDYDATA:kv_payload}$" }
}
kv {
source => "kv_payload"
field_split => ", "
value_split => "="
trim_key => " "
trim_value => " "
allow_duplicate_values => true
target => "radius"
}

if [radius][cisco-av-pair] {
kv {
source => "[radius][cisco-av-pair]"
value_split => "="
target => "[radius][cisco]"
}
}
}

}

Elk_huh · January 28, 2026, 2:42pm

Grok Debugger, says the first if statement should parse it fine but i am getting a _grokparsefailure

leandrojmp · January 28, 2026, 3:08pm

Cisco ISE logs are a nightmare, there are a lot of things that can break your grok and you need to keep fixing it until you have a working version.

I would recommend that you switch to the Elastic Agent Cisco ISE integration that does a better job and has this parsing already done.

Elk_huh · January 28, 2026, 3:10pm

I have a git request for it , it doesnt support Profiler logs yet so i have to use this, which is why i have a if ( profiler first one ) but it should work for this Accounting log as its the same so thats why i split it into 2 , i know the first if statement works for the profiler and the 2nd for the accoounting

github.com/elastic/integrations

Doesnt Parse Cisco ISE Profiler Logs

opened 01:38PM - 15 Oct 25 UTC

brian-elk

needs:triage Integration:cisco_ise Team:Integration-Experience

### Integration Name Cisco ISE [cisco_ise] ### Dataset Name Profiler ### Int…egration Version 1.29 ### Agent Version 8.18 ### Agent Output Type elasticsearch ### Elasticsearch Version 8.18 ### OS Version and Architecture RHEL9 ### Software/API Version _No response_ ### Error Message Doesnt parse Cisco ISE Profiler Logs ### Event Original <182>Oct 10 16:55:03 ise CISE_Profiler 0000002339 1 0 2025-10-10 16:55:03.202 +00:00 0328257629 80002 INFO Profiler: Profiler EndPoint profiling event occurred, ConfigVersionId=156, EndpointCertainityMetric=5, EndpointMacAddress=34:6B:F2, EndpointMatchedPolicy=DigiBoard-Device, EndpointNADAddress=192.0.0.0, EndpointOUI=DigiBoard, EndpointPolicy=DigiBoard-Device, EndpointProperty=PolicyVersion=55,EndPointPolicyID=ce0f8b00-9f06-11ef-be6b-005056af69be,LogicalProfile=profdile,AuthenticationMethod=Lookup,FirstCollection=1760115303174,CacheUpdateTime=1760115303199,StaticAssignment=false,User-Name=00409d346bf2,NmapScanCount=0,NetworkDeviceName=location,DestinationIPAddress=192.0.0.0,AAA-Server=ise,MessageCode=5400,Device Type=Device Type#All Device Types#SWITCH,PortalUser=,AllowedProtocolMatchedRule=Default,BYODRegistration=Unknown,Calling-Station-ID=4-6B-F2,FailureReason=15039 Rejected per authorization profile,Total Certainty Factor=5,IdentityGroupID=aa10ae00-896c-525400b48521,PostureApplicable=Yes,NmapSubnetScanID=0t-Type=Ethernet,TimeToProfile=21,DeviceRegistrationStatus=NotRegistered,MatchedPolicyID=cef06-11ef-be6b-005056af69be,SSID=0C,UserName=00,FeedService=false,UseCase=Host Lookup,SelectedAuthorizationProfiles=DenyAccess,StaticGroupAssignment=false,NAS-Port-Id=GigabitEthernet2,DTLSSupport=Unknown,LastActivity=1760115303174,Response={RadiusPacketType=AccessReject; AuthenticationResult=UnknownUser; },LastNmapScanTime=0,UpdateTime=0,AuthorizationPolicyMatchedRule=Default,Location=Location, EndpointSourceEvent=RADIUS Probe, EndpointIdentityGroup=Profiled, ProfilerServer=com ### What did you do? Doesnt parse ### What did you see? nothing ### What did you expect to see? Parsed Logs ### Anything else? no

RainTown · January 28, 2026, 3:13pm

I am not sure this matches the +00:00 in the log line shared?

But don't chase your own tail here, and do what @leandrojmp suggested if you can.

Badger · January 28, 2026, 4:47pm

Well it is never going to go through the else if because you are using the same test in both conditionals. If "CISE" in [message] it will never get to the second grok.

The first grok doesn’t match because "Profiler" => "Radius-Accounting" contains a hyphen, which means it does not match %{WORD}. You could change that to %{NOTSPACE} to make it work.

To debug patterns like this start with

match => { "message" => "<%{INT:priority}>%{GREEDYDATA:restOfLine}"

and then add one field at a time until it stops working. The last field you add is the one that needs to change.

Elk_huh · January 28, 2026, 7:41pm

wow… a - threw off a word vs nospace Thanks!

Topic		Replies	Views
Logtssh Grok for Cisco ISE Logstash	11	147	October 16, 2025
Logstash syslog message, doesn't choose right if statement Logstash	3	546	April 5, 2023
Problem with if statement in GROK filter Logstash	5	315	September 22, 2021
Grok error Logstash	18	2270	September 19, 2018
Logstash Grok Parcing Based on SYSLOGPROG condition Logstash	5	2561	July 6, 2017

Logstash Grok filter Not working

Related topics