Multiple Grok patterns help

Hi All,
I'm doing something wrong with the following. The goal is parse 5 basic events from a PulseSecure VPN syslog feed. Is the following the correct??

filter {
    if "PulseSecure" in [message] {

         grok {
            match => {

            "message" => [
                        “%{SYSLOGBASE} %{TIMESTAMP_ISO8601:timestamp} - %{WORD:IVE} - \[%{IP:ClientIP}\] (?<UserID>[^(]*)(?<VpnProfile>(.*?))\[(?<Realm>(.*?))\] - %{GREEDYDATA:message}”,
                        “%{SYSLOGBASE} %{TIMESTAMP_ISO8601:timestamp} - %{WORD:IVE} - \[%{IP:ClientIP}\] (?<UserID>[^(]*)(?<VpnProfile>(.*?))\[(?<Realm>(.*?))\] - %{GREEDYDATA:message} (?<AssignedIP>((?:[0-9]{1,3}\.){3}[0-9]{1,3})\s)”,
                        “%{SYSLOGBASE} %{TIMESTAMP_ISO8601:timestamp} - %{WORD:IVE} - \[%{IP:ClientIP}\] (?<UserID>[^(]*)(?<VpnProfile>(.*?))\[(?<Realm>(.*?))\] - (?<ERROR_MSG>(.*?)\)\.) %{GREEDYDATA:message}\#”,
                        “%{SYSLOGBASE} %{TIMESTAMP_ISO8601:timestamp} - %{WORD:IVE} - \[%{IP:ClientIP}\] (?<UserID>[^(]*)(?<VpnProfile>(.*?))\[(?<Realm>(.*?))\] - (?<SSL_Failure>SSL (.*?))\. %{GREEDYDATA:message}\#”,
                        “%{SYSLOGBASE} %{TIMESTAMP_ISO8601:timestamp} - %{WORD:IVE} - \[%{IP:ClientIP}\] (?<UserID>[^(]*)(?<VpnProfile>(.*?))\[(?<Realm>(.*?))\] - CRL(?<CRL>(.*?))\s\'CN\=(?<UserName>(.*?))\,\sOU\=(?<OrgName>(.*?))\,\s%{GREEDYDATA:message}”


No. You need to match the most specific pattern first, then get gradually less specific. In your case the first pattern will match every time.

I suggest you also read through this post, since you can probably greatly speed up that configuration.

Thanks Badger and understood on the ordering of the patterns.

2nd task is to find out why the above even if reduced to a single pattern causes logstash to error with a config issue. :--)

Perhaps the use of curly quotes. Use double quotes -- "

oh dear - killed by cut and paste and overly helpful app!!!
Thank you.