[SOLVED] Grok or not Grok on SophosXG

apologies but I'm struggling to find a good reference document with examples, and I'm basing this on test and fail from a pattern test tool.
I'm trying to parse a SophosXG log message, as this one below:
device="SFW" log_type="Firewall" src_ip=111.222.333.444

there's many fields defined on the same structure TAG=VALUE
is there a way to get all tags and associated values?
Right now I'm having to use (device=%{QS:device_01}) entries for each value, which is slow and painful.

Any help or direction to the right documentation would be appreciated.

Look at using the kv filter instead of grok for this type of data.

1 Like

Grok Patterns


For online grok parsing


Kv filter using whitespace worked like charm. Thank you.

if [type] == "sophosxg" {
kv {
whitespace => strict

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.