Issues with Cisco Grok pattern

I’m using the following Grok pattern to extra data from a Cisco device:

%{GREEDYDATA:UNWANTED} %%{GREEDYDATA:cisco_first}?-%{GREEDYDATA:cisco_status}?-%{GREEDYDATA:cisco_last}?: %{GREEDYDATA:cisco_message}

Example log data looks like this:

Aug 12 21:16:00.410: %IPV6_ACL-6-ACCESSLOGDP: list XXXXXXXX/30 permitted icmpv6 :: ->

The pattern works fine on IPV4 related messages, but on an IPV6 record it’s matching on the colon after icmpv6 and not after ACCESSLOGDP like I’d like.

We’re running Graylog V6.0.5. It’s running on Ubuntu with the latest version of Elasticsearch.

I’m basically looking for a Grok pattern that will match “%IPV6_ACL-6-ACCESSLOGDP:” in the log record.

Thanks!

@ffeingol

The below…

%{GREEDYDATA:UNWANTED} %%{DATA:cisco_first}: %{GREEDYDATA:cisco_message}

Matches these examples

Aug 12 21:16:00.410: %IPV6_ACL-6-ACCESSLOGDP: list XXXXXXXX/30 permitted icmpv6

Aug 12 21:16:00.410: %SEC-6-IPACCESSLOGP: list INTERNET-IN denied udp 88.89.209.63(137) → 1.2.3.4(137), 1 packet

Did you need to further break the message down into fields?

This is what I’m trying to parse. It’s in the format FIRST_PART-STATUS-LAST_PART. It begins with a % (perecent sign) an ends with a : (colon). The issue is that my patterns is matching on the colon in the IPV6 address, not the ending colon on the LAST_PART.

@ffeingol Try replacing GREEDYDATA with DATA as below, you can end the pattern with $ to capture the remaining.

%{DATA:UNWANTED}: %(%{DATA:cisco_first}:)? (%{DATA:Thing})? (%{DATA:Thing2})? (%{WORD:Thing3})? (%{WORD:Thing4})?

That’s exactly what I was looking for, so thank you. Is the some documentation on the {DATA}, {WORD} etc. I can see the patters in Grok patters, but some doc on using them would help.

@ffeingol Happy to help. I’m not finding anything akin to a cheatsheet which would give quick and valuable insight, what I’ve learnt has come from googling.

By far the best tool when creating a pattern would be https://grokdebugger.com/

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.