We have a 2 different sourcefire appliances. One of them sends extra information HTTPResponse.
Aug 31 18:51:28 oaks-corp-inet-sfr02 SFIMS: Protocol: TCP, SrcIP: 213.136.75.234, DstIP: 10.40.0.39, Context: INET, ACPolicy: Oaks Access Control Policy, NAPPolicy: SEI Network Analysis Policy
Aug 31 18:51:28 oaks-corp-inet-sfr01 SFIMS: Protocol: TCP, SrcIP: 213.136.75.234, DstIP: 10.40.0.39, Context: INET, ACPolicy: Oaks Access Control Policy, NAPPolicy: SEI Network Analysis Policy, HTTPResponse: 200
The problem is that HTTPResponse information is located at the end of the log. If it is in the middle of log like Context, it will be fine.
Neither one of following is able to handle both types of logs in http://grokdebug.herokuapp.com/.
%{SYSLOGTIMESTAMP} %{IPORHOST:sm_hostname} %{GREEDYDATA} SrcIP: %{IP:sm_src_ip}, DstIP: %{IP:sm_dst_ip},(?:Context: %{DATA:sm_context}, )?ACPolicy: %{DATA:sm_scpolicy}, NAPPolicy: %{DATA:sm_nappolicy}(?:, HTTPResponse: %{NUMBER:sm_httpresponse})?
%{SYSLOGTIMESTAMP} %{IPORHOST:sm_hostname} %{GREEDYDATA} SrcIP: %{IP:sm_src_ip}, DstIP: %{IP:sm_dst_ip},(?:Context: %{DATA:sm_context}, )?ACPolicy: %{DATA:sm_scpolicy}, NAPPolicy: %{GREEDYDATA:sm_nappolicy}(?:, HTTPResponse: %{NUMBER:sm_httpresponse})?
Any ideas?
Thank you
Victor