Nested Grok issues in a syslog extractor

Using Graylog v3.0.2+1686930 and custom Grok Patterns listed at the end of the post.

I am having some issues with parsing a semi complex syslog message when it comes to nested Grok patterns to make it usable.

Sample Syslog Message
<190>Aug 16 12:31:36 HOSTNAME notfmgrd[4867]: [1][1][A][4867] [23] nm_handle_events.c.410: Id:3701, Syslog-Severity:6, Perceived-Severity:CLEAR, Name:lldp-neighbor-activity, Category:GENERAL Cause:removed, Details:Neighbor(1) on port 1/2/x1 removed, Xpath:/config/shelf[shelf-id='1']/slot[slot-id='2']/interface/ethernet[port='x1'] Address:/interfaces/interface[name='1/2/x1'], Primary-element:NULL, Value:NULL, Verb:NULL, Session:0, Login:NULL, IpAddress:NULL, SrcManager:NULL

When I get to the portion containing the Xpath:/… portion is where I have nested a few different Grok Patterns to handle the multiple ways this equipment may deliver me a message. This portion will parse sucessfully with AXOSAlarmPath2, if I segregate out the portion of the message and test it against the single pattern. But as soon as test it against the nested Grok (AXOSAlarmPathComb) then I get a rather ugly output as it appears to be using AXOSAlarmPath1 instead of skipping it. I am curious if there is a better methodology or syntax usage to parse these correctly, or if I am running into a previously mentioned topic I found in the forums that seemed to indicate an issue with Graylog and Grok specifically in these nested patterns.

Any help would be greatly apprecated. Thank you in advance!

TrialInputGrok
%{SYSLOGBASE} %{DATA:UNWANTED} Id:%{DATA:axossyslogmsgid}, Syslog-Severity:%{NUMBER:axossyslogseverity}, Perceived-Severity:%{WORD:axosperceivedseverity}, Name:%{USERNAME:axosalarmname}, Category:%{WORD:axosalarmcategory} Cause:%{DATA:axosalarmcatmsg}, Details:%{DATA:axosalarmdetails}, %{AXOSAlarmPathComb} Address:%{DATA:axosuseraddress}, Primary-element:%{DATA:axosprimaryelement}, Value:%{DATA:axosuservalue}, Verb:%{DATA:axosuserverb}, Session:%{DATA:axossessionid}, Login:%{USERNAME:axosusername1}, IpAddress:%{DATA:axossourceip}, SrcManager:%{USERNAME:axossrcmanager}

AXOSAlarmPath1	%{DATA:UNWANTED}\[%{DATA:anapname}\=\'%{DATA:anapnamefield}\'\]	
AXOSAlarmPath2	%{DATA:UNWANTED}\[%{DATA:anapname1}\=\'%{DATA:anapnamefield1}\'\]\/%{DATA:UNWANTED}\[%{DATA:anapname2}\=\'%{DATA:anapnamefield2}\'\]\/%{DATA:UNWANTED}\[%{DATA:anapname3}\=\'%{DATA:anapnamefield3}\'\]	
AXOSAlarmPath3	%{DATA:UNWANTED}\[%{DATA:anapname}\=\'%{DATA:anapnamefield}\'\]\/%{DATA:anapnamesubfld}	
AXOSAlarmPathComb	(%{AXOSAlarmPath1}|%{AXOSAlarmPath2}|%{AXOSAlarmPath3})

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.