Elk_huh
January 6, 2026, 5:35pm
1
"<190>606524: 876342: Jan 6 2026 17:27:24.835 UTC: %SEC-6-IPACCESSLOGP: list BLOCK-Wifi denied udp 11.12.2.75(51811) -> 111.22.13.60(5246), 2 packets "
Grok Parser succeeds but i am getting grok error in Elasticsearch
grok {
pattern_definitions => {
"MYTIMESTAMP" => "%{MONTH:month}\s+%{MONTHDAY:day}\s+%{YEAR:year}\s+%{TIME:time}\s+%{WORD:timezone}"
}
match => { "message" => "<%{INT:syslog_priority}>%{INT:log1}: %{INT:log2}: %{MYTIMESTAMP:timestamp}: %%{DATA:syslog_message_type}: %{DATA:log3} %{DATA:DeviceType} %{DATA:Action} %{DATA:protocol} %{IP:src_ip}\(%{INT:src_port}\) %{GREEDYDATA:remove}%{IP:dst_ip}\(%{INT:dst_port}\), %{GREEDYDATA:packet}}
}
mutate {
add_field => { "devicevendor" => "cisco" }
add_field => { "deviceproduct" => "switch" }
}
Badger
January 6, 2026, 9:55pm
2
Elk_huh:
match => { "message" => "<%{INT:syslog_priority}>%{INT:log1}: %{INT:log2}: %{MYTIMESTAMP:timestamp}: %%{DATA:syslog_message_type}: %{DATA:log3} %{DATA:DeviceType} %{DATA:Action} %{DATA:protocol} %{IP:src_ip}\(%{INT:src_port}\) %{GREEDYDATA:remove}%{IP:dst_ip}\(%{INT:dst_port}\), %{GREEDYDATA:packet}}
That’s an invalid configuration, so the logstash pipeline will not even start. It is missing the closing double quote. If you add the quote it will successfully grok the message.
Rios
January 7, 2026, 12:00pm
3
+ grok is not correct
Should be like this:
grok {
pattern_definitions => {
# "MYTIMESTAMP" => "%{MONTH:month}\s+%{MONTHDAY:day}\s+%{YEAR:year}\s+%{TIME:time}\s+%{WORD:timezone}"
"MYTIMESTAMP" => "MYTIMESTAMP %{MONTH}\s+%{MONTHDAY}\s+%{YEAR}\s+%{TIME}\s+%{WORD}"
}
match => { "message" => "<%{INT:syslog_priority}>%{INT:log1}: %{INT:log2}: %{MYTIMESTAMP:timestamp}: \%%{DATA:syslog_message_type}: %{DATA:log3} %{DATA:DeviceType} %{DATA:Action} %{DATA:protocol} %{IP:src_ip}\(%{INT:src_port}\) %{DATA} %{IP:dst_ip}\(%{INT:dst_port}\), %{GREEDYDATA:packet}"
}
Note: From MYTIMESTAMP has been removed date&time fields, and the "remove" field has been removed, just not assigned to any field.