Aug 12 21:16:00.410: %IPV6_ACL-6-ACCESSLOGDP: list XXXXXXXX/30 permitted icmpv6 :: ->
The pattern works fine on IPV4 related messages, but on an IPV6 record it’s matching on the colon after icmpv6 and not after ACCESSLOGDP like I’d like.
We’re running Graylog V6.0.5. It’s running on Ubuntu with the latest version of Elasticsearch.
I’m basically looking for a Grok pattern that will match “%IPV6_ACL-6-ACCESSLOGDP:” in the log record.
This is what I’m trying to parse. It’s in the format FIRST_PART-STATUS-LAST_PART. It begins with a % (perecent sign) an ends with a : (colon). The issue is that my patterns is matching on the colon in the IPV6 address, not the ending colon on the LAST_PART.
That’s exactly what I was looking for, so thank you. Is the some documentation on the {DATA}, {WORD} etc. I can see the patters in Grok patters, but some doc on using them would help.
@ffeingol Happy to help. I’m not finding anything akin to a cheatsheet which would give quick and valuable insight, what I’ve learnt has come from googling.