Grok a log with possible extra field in the end


(Victor Feng) #1

We have a 2 different sourcefire appliances. One of them sends extra information HTTPResponse.

Aug 31 18:51:28 oaks-corp-inet-sfr02 SFIMS: Protocol: TCP, SrcIP: 213.136.75.234, DstIP: 10.40.0.39, Context: INET, ACPolicy: Oaks Access Control Policy, NAPPolicy: SEI Network Analysis Policy

Aug 31 18:51:28 oaks-corp-inet-sfr01 SFIMS: Protocol: TCP, SrcIP: 213.136.75.234, DstIP: 10.40.0.39, Context: INET, ACPolicy: Oaks Access Control Policy, NAPPolicy: SEI Network Analysis Policy, HTTPResponse: 200

The problem is that HTTPResponse information is located at the end of the log. If it is in the middle of log like Context, it will be fine.

Neither one of following is able to handle both types of logs in http://grokdebug.herokuapp.com/.
%{SYSLOGTIMESTAMP} %{IPORHOST:sm_hostname} %{GREEDYDATA} SrcIP: %{IP:sm_src_ip}, DstIP: %{IP:sm_dst_ip},(?:Context: %{DATA:sm_context}, )?ACPolicy: %{DATA:sm_scpolicy}, NAPPolicy: %{DATA:sm_nappolicy}(?:, HTTPResponse: %{NUMBER:sm_httpresponse})?

%{SYSLOGTIMESTAMP} %{IPORHOST:sm_hostname} %{GREEDYDATA} SrcIP: %{IP:sm_src_ip}, DstIP: %{IP:sm_dst_ip},(?:Context: %{DATA:sm_context}, )?ACPolicy: %{DATA:sm_scpolicy}, NAPPolicy: %{GREEDYDATA:sm_nappolicy}(?:, HTTPResponse: %{NUMBER:sm_httpresponse})?

Any ideas?
Thank you

Victor


(system) #2

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.