Multiple Grok patterns help

Zorkmid · August 31, 2021, 10:15pm

Hi All,
I'm doing something wrong with the following. The goal is parse 5 basic events from a PulseSecure VPN syslog feed. Is the following the correct??

filter {
    if "PulseSecure" in [message] {

         grok {
            match => {

            "message" => [
                        “%{SYSLOGBASE} %{TIMESTAMP_ISO8601:timestamp} - %{WORD:IVE} - \[%{IP:ClientIP}\] (?<UserID>[^(]*)(?<VpnProfile>(.*?))\[(?<Realm>(.*?))\] - %{GREEDYDATA:message}”,
                        “%{SYSLOGBASE} %{TIMESTAMP_ISO8601:timestamp} - %{WORD:IVE} - \[%{IP:ClientIP}\] (?<UserID>[^(]*)(?<VpnProfile>(.*?))\[(?<Realm>(.*?))\] - %{GREEDYDATA:message} (?<AssignedIP>((?:[0-9]{1,3}\.){3}[0-9]{1,3})\s)”,
                        “%{SYSLOGBASE} %{TIMESTAMP_ISO8601:timestamp} - %{WORD:IVE} - \[%{IP:ClientIP}\] (?<UserID>[^(]*)(?<VpnProfile>(.*?))\[(?<Realm>(.*?))\] - (?<ERROR_MSG>(.*?)\)\.) %{GREEDYDATA:message}\#”,
                        “%{SYSLOGBASE} %{TIMESTAMP_ISO8601:timestamp} - %{WORD:IVE} - \[%{IP:ClientIP}\] (?<UserID>[^(]*)(?<VpnProfile>(.*?))\[(?<Realm>(.*?))\] - (?<SSL_Failure>SSL (.*?))\. %{GREEDYDATA:message}\#”,
                        “%{SYSLOGBASE} %{TIMESTAMP_ISO8601:timestamp} - %{WORD:IVE} - \[%{IP:ClientIP}\] (?<UserID>[^(]*)(?<VpnProfile>(.*?))\[(?<Realm>(.*?))\] - CRL(?<CRL>(.*?))\s\'CN\=(?<UserName>(.*?))\,\sOU\=(?<OrgName>(.*?))\,\s%{GREEDYDATA:message}”
                        ]
                 }
          }
    }
}

Regards
TimW

Badger · August 31, 2021, 11:54pm

No. You need to match the most specific pattern first, then get gradually less specific. In your case the first pattern will match every time.

I suggest you also read through this post, since you can probably greatly speed up that configuration.

Zorkmid · September 1, 2021, 4:05am

Thanks Badger and understood on the ordering of the patterns.

2nd task is to find out why the above even if reduced to a single pattern causes logstash to error with a config issue. :--)

Badger · September 1, 2021, 5:05am

Perhaps the use of curly quotes. Use double quotes -- "

Zorkmid · September 1, 2021, 3:17pm

oh dear - killed by cut and paste and overly helpful app!!!
Thank you.

system · September 29, 2021, 3:17pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Grok pattern matching Logstash	4	1383	February 27, 2020
Grok filter multiple match Logstash	4	18214	October 31, 2019
Multile pattren in single Grok Filter Logstash	5	285	August 28, 2018
_grokparsefailure even though the right patterns are there Logstash	5	648	August 17, 2017
Grok Patterns? for OpenVPN Logstash	3	4252	July 6, 2017

Multiple Grok patterns help

Related topics