I am attempting to write my first grok filter but I'm not getting any logs parsed. Here is my sample log.
<30>2020:02:26-12:41:48 aua[18909]: id="3005" severity="warn" sys="System" sub="auth"
name="Authentication failed" srcip="1.2.3.4" host="" user="admin" caller="openvpn"
reason="DENIED"
I'm only interested in four fields. I've used the grok debugger https://grokdebug.herokuapp.com/ with the pattern below and it parses correctly.
.*name="%{DATA:event.action}".*srcip="%{IP:source.ip}".*user="%{USER:user.name}".*caller="%{WORD:event.type}"
Here is my grok filter. I thought it was something to do with the double quotes so I tried escaping them but no change. Very new to this so not sure if this is the easiest method or if there is something else I need to do to create this filter.
grok {
match => {"message" => ".*name=\"%{DATA:event.action}\".*srcip=\"%{IP:source.ip}\".*user=\"%{USER:user.name}\".*caller=\"%{WORD:event.type}\""}
}