I have two barracuda FWs with different log structure and a Logstash grok filter plugin that needs to parse them.
values only log entry
+02:00 Info blabla Detect: FWD|TCP|bond0.777|188.8.131.52|53329|00:00:00:00:00:00|184.108.40.206|443||bond1.182||0|220.127.116.11|18.104.22.168|0|1|0|0|0|0||SSL|Microsoft Services Base|graph.microsoft.com||Computing/Technology (82)
fields + values log entry
+02:00 Info blabla Remove: type=FWD|proto=UDP|srcIF=pvpn0|srcIP=22.214.171.124|srcPort=61661|srcMAC=00:00:00:00:00:00|dstIP=10.248.0.10|dstPort=53|dstService=dns|dstIF=pvpn0|rule=V2L-DNS-IN|info=Balanced Session Idle Timeout|srcNAT=10.248.11.215|dstNAT=127.0.0.1|duration=20|count=1|receivedBytes=444|sentBytes=82|receivedPackets=1|sentPackets=1|user=johba|protocol=|application=|target=|content=|urlcat=
I already have a regex for the first scenario. However, I’d like to have a single regex that would match in both cases, no matter if the filed names are present.
For instance I’d like my regex to match both
- I tried with char class first, i.e.
(type=)*w+. Con is that, for instance if I have
dstService=dns, and the portion of my regex is
(dstService=)*w+the grok filter would match
nsonly instead of
- Then I tried with
d*s*t*S*e*r*v*i*c*e*=*w+and this worked. However, I was thinking if there was more elegant way of achieving this goal?