Logstash/Grok not processing part of a custom filter

Not sure if I am missing something, or just going about this all wrong, but some of the syslog events from our ASA just don't seem to filter/parse correctly.

Relevant syslog events:

"message":"<150>Nov 18 2016 15:50:23: %ASA-6-113004: AAA user authentication Successful : server =  1.2.3.4 : user = some.username\n"
"message":"<150>Nov 18 2016 15:50:23: %ASA-6-113004: AAA user authorization Successful : server =  1.2.3.4 : user = some.username\n"
"message":"<150>Nov 18 2016 15:50:23: %ASA-6-113008: AAA transaction status ACCEPT : user = some.username\n"

Current grok filter lines related to syslog events above:

"message", "%{WORD:protocol} user authentication %{WORD:action} : server = %{IP:auth_srv} : user = %{DATA:user}\n",
"message", "%{WORD:protocol} user authorization %{WORD:action} : server = %{IP:auth_srv} : user = %{DATA:user}\n",
"message", "%{WORD:protocol} transaction status %{WORD:action} : user = {%DATA:user}\n",

I am not sure if the " : " in each event is what might be causing the issue, but that seems to be the only common thing between the events that won't process. I have dozens of other custom filters before and after these lines that work just fine.

Anybody have any ideas?

One thing I notice immediately is that there are two spaces before the IP address in your example entries but your expression requires a single space.

In general, debug problems like this by starting with the simplest possible expression. Then add a little bit more so that you step by step converge towards the current expression that doesn't work. At some point things are going to start failing and then you've narrowed it down sufficiently to be able to spot the culprit.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.