Multiple Grok patterns help

Zorkmid · August 31, 2021, 10:15pm

Hi All,
I'm doing something wrong with the following. The goal is parse 5 basic events from a PulseSecure VPN syslog feed. Is the following the correct??

filter {
    if "PulseSecure" in [message] {

         grok {
            match => {

            "message" => [
                        “%{SYSLOGBASE} %{TIMESTAMP_ISO8601:timestamp} - %{WORD:IVE} - \[%{IP:ClientIP}\] (?<UserID>[^(]*)(?<VpnProfile>(.*?))\[(?<Realm>(.*?))\] - %{GREEDYDATA:message}”,
                        “%{SYSLOGBASE} %{TIMESTAMP_ISO8601:timestamp} - %{WORD:IVE} - \[%{IP:ClientIP}\] (?<UserID>[^(]*)(?<VpnProfile>(.*?))\[(?<Realm>(.*?))\] - %{GREEDYDATA:message} (?<AssignedIP>((?:[0-9]{1,3}\.){3}[0-9]{1,3})\s)”,
                        “%{SYSLOGBASE} %{TIMESTAMP_ISO8601:timestamp} - %{WORD:IVE} - \[%{IP:ClientIP}\] (?<UserID>[^(]*)(?<VpnProfile>(.*?))\[(?<Realm>(.*?))\] - (?<ERROR_MSG>(.*?)\)\.) %{GREEDYDATA:message}\#”,
                        “%{SYSLOGBASE} %{TIMESTAMP_ISO8601:timestamp} - %{WORD:IVE} - \[%{IP:ClientIP}\] (?<UserID>[^(]*)(?<VpnProfile>(.*?))\[(?<Realm>(.*?))\] - (?<SSL_Failure>SSL (.*?))\. %{GREEDYDATA:message}\#”,
                        “%{SYSLOGBASE} %{TIMESTAMP_ISO8601:timestamp} - %{WORD:IVE} - \[%{IP:ClientIP}\] (?<UserID>[^(]*)(?<VpnProfile>(.*?))\[(?<Realm>(.*?))\] - CRL(?<CRL>(.*?))\s\'CN\=(?<UserName>(.*?))\,\sOU\=(?<OrgName>(.*?))\,\s%{GREEDYDATA:message}”
                        ]
                 }
          }
    }
}

Regards
TimW

Badger · August 31, 2021, 11:54pm

No. You need to match the most specific pattern first, then get gradually less specific. In your case the first pattern will match every time.

I suggest you also read through this post, since you can probably greatly speed up that configuration.

Zorkmid · September 1, 2021, 4:05am

Thanks Badger and understood on the ordering of the patterns.

2nd task is to find out why the above even if reduced to a single pattern causes logstash to error with a config issue. :--)

Badger · September 1, 2021, 5:05am

Perhaps the use of curly quotes. Use double quotes -- "

Zorkmid · September 1, 2021, 3:17pm

oh dear - killed by cut and paste and overly helpful app!!!
Thank you.

system · September 29, 2021, 3:17pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.