New pattern won't work cisco vpn

tomi · January 18, 2017, 4:45pm

I have an ASA that record some vpn logs. those aren't included in the core-patterns. so I defined a simple patterns its seem to be working fine in testing envi which is running 5.1.1 logstash. but when moving the same config to prod which is running 5.0.0 I face the undesirable error.

Pipeline aborted due to error {:exception=>#<Grok::PatternError: pattern %{CISCOFW113008} not defined

are there any major differences with the 2 version of logstash.

a simple test

this is the pattern file
CISCOFW113008 %{CISCO_ACTION:action} : user = %{USER:user}

which also contain the actions required.

thanks

kopacko · January 18, 2017, 5:02pm

I moved away from defined patterns long ago.

It's allowed much more granularity when to comes to field creation and naming.

You might want to do the same.

If you have a log you can post, I can build a pattern for you.

tomi · January 18, 2017, 8:35pm

Thank you. I just hard coded the patterns instead of using pattern_dir.

system · February 15, 2017, 8:35pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.