It is doable I think. The biggest concern is that there are multiple hex and ascii sets in each multiline message field. It will be quite trial and error.
You need to add fields to the event before a grok filter. In the file input add (I don't know whether this works.)
add_field => { "hex" => [] "ascii"=> []}
In your grok filter add a custom pattern.
filter {
grok {
match => { "message" => ":\s(?<hex>(([0-9a-fA-F]{2})(\s|\-)){16})((?<ascii>(.{16}))\s\|)" }
break_on_match => false
}
}
How I think it works...
We add two fields that have empty arrays, hex and ascii.
As grok applies the matched text it sees that the hex or ascii field is an array and appends the matched text to each one.
So...
hex -> ["38 7a 22 46 5b 0c 32 af-65 45 5b 5a e3 a1 ed 13", "99 ba d8 99 23 c3 a4 b3-b8 77 61 4c ae 79 08 c6", "22 a7 c2 e5 bc 1a 02 a9-6a b8 7a d0 1c 1a 5e ca"]
ascii -> ["8z\"F[.2.eE[Z....", "....#....waL.y..", "\".......j.z...^."]