I am trying to parse the following syslog message and keep getting a grokparsefailure
message as sent from Gigaflow
{"Application":"TCP/34056","Eventer":"172.0.0.1","Syn Type":"Destination","appid":427272,"bytes":152,"device":"172.0.0.1","domain":"","dstadd":"172.0.0.1","dstport":34056,"duration":1124,"eventname":"Syn Dst Port Sweep","flags":2,"fwevent":0,"fwextcode":0,"inif":14,"macdst":"00:00:00:00:00:00","macsrc":"00:00:00:00:00:00","outif":30,"packets":3,"proto":6,"srcadd":"172.0.0.1","srcport":57058,"time":1475147662254,"timeH":"29-Sep-2016 12:14:22.254","tos":0,"user":""}
Message as seen in logstash
<189>{\"Application\":\"TCP/34056\",\"Eventer\":\"172.0.0.1\",\"Syn Type\":\"Destination\",\"appid\":427272,\"bytes\":152,\"device\":\"172.0.0.1\",\"domain\":\"\",\"dstadd\":\"172.0.0.1\",\"dstport\":34056,\"duration\":1124,\"eventname\":\"Syn Dst Port Sweep\",\"flags\":2,\"fwevent\":0,\"fwextcode\":0,\"inif\":14,\"macdst\":"00:00:00:00:00:00\",\"macsrc\":\"00:00:00:00:00:00\",\"outif\":30,\"packets\":3,\"proto\":6,\"srcadd\":\"172.0.0.1\",\"srcport\":57058,\"time\":1475147662254,\"timeH\":\"29-Sep-2016 12:14:22.254\",\"tos\":0,\"user\":\"\"}
The Parser code I have appears to be failing at "Ap
match => [ 'message', '<%{POSINT:syslog_pri}>.*\/%{NUMBER:appport}.*Syn Type\\":\\"%{WORD:syntype}\\",\\"appid\\":%{NUMBER:appid},\\"by.*device\\":\\"%{IP:deviceip}\\",\\"dom.*dstadd\\":\\"%{IP:dstip}\\",\\"dstport\\":%{NUMBER:dstport},.*eventname\\":\\"%{GREEDYDATA:eventname}\\",\\"fl.*macdst\\":\\"%{MAC:macdst}\\",\\"macsrc\\":\\"%{MAC:macsrc}.*srcadd\\":\\"%{IP:srcip}\\",\\"srcport\\":%{NUMBER:srcport}' ]