Need help with log filtering

Problem Description:
I have the following log that needs to be filtered and I found that some of the Cisco ASA filter to be really useful.
Jul 09 2017 23:34:50: %ASA-4-106023: Deny tcp src outside: ......

However, there is one issue, in all of the examples, ASA logs pattern is slightly different from mine. They all have a priority number at the beginning like this:
<123>Jul 09 2017 23:34:50: %ASA-4-106023: Deny tcp src outside: ......

Using the same filter pattern obviously caused trouble and the parse was incomplete, which resulted the timestamp to be incorrectly parsed. The <123> portion is filtered by syslog_pri { }, which is part of the {CISCO_TAGGED_SYSLOG}. This all built-in within the plugin, so I can't really change anything. Here is the grok library

Below is my code that filters it, I thought I could get away by removing the "syslog_pri {}", but that didn't work.

grok {
  match => ["message", "%{CISCO_TAGGED_SYSLOG} %{GREEDYDATA:cisco_message}"]

# Parse the syslog severity and facility
syslog_pri { }

# Parse the date from the "timestamp" field to the "@timestamp" field
date {
  match => ["timestamp",
    "MMM dd HH:mm:ss",
    "MMM  d HH:mm:ss",
    "MMM dd yyyy HH:mm:ss",
    "MMM  d yyyy HH:mm:ss"
  timezone => "America/New_York"

so my question is: is there anyway that I can skip the part where the regex is look for <123> ? I'd imagine that I could somehow put a regex to negate <123> regex in front of the {CISCO_TAGGED_SYSLOG} portion ?

Thanks for any help !!

OK, i figured it out, by simply breaking down the {CISCO_TAGGED_SYSLOG} portion into the following

%{CISCOTIMESTAMP:timestamp}( %{SYSLOGHOST:sysloghost})? ?: %%{CISCOTAG:ciscotag}: %{GREEDYDATA:cisco_message}

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.