I setup some syslog inputs for Synology Diskstations and have been creating a couple Grok extractors to get the relevant information out. When testing the extractor, it work appropriately against the test message, but when the next message comes after the extractor was applied, it doesn’t contain all the extracted information.
This is the test message I am using:
DISKSTATION Connection: User [COMPANY\user] from [10.0.0.1(10.0.0.1)] via [CIFS(SMB2)] accessed shared folder [Folder].
Here is the grok pattern I am using:
%{HOSTNAME:Host} %{PROG:Program}: User [COMPANY\%{DATA:User}] from [%{IPV4:Client IP}%{DATA:UNWANTED}] via [%{DATA:Access Type}] accessed shared folder [%{DATA:Folder}].
And that works as intended of pulling the named fields I want in the test center. But when the next message comes in after the pattern is applied, it doesn’t get all of the information I want. It fails to extract the Client IP and Access Type.
I have it to only attempt extraction is this string is found: “Connection: User”
Any assitance would be appreciated, and I can supply more info if needed!