syslog – Regex char class – more elegant solution

I have two barracuda FWs with different log structure and a Logstash grok filter plugin that needs to parse them.

values only log entry

+02:00 Info     blabla Detect: FWD|TCP|bond0.777|1.1.1.1|53329|00:00:00:00:00:00|20.190.159.32|443||bond1.182||0|80.231.71.252|20.190.159.32|0|1|0|0|0|0||SSL|Microsoft Services Base|graph.microsoft.com||Computing/Technology (82)

fields + values log entry

+02:00 Info     blabla Remove: type=FWD|proto=UDP|srcIF=pvpn0|srcIP=1.1.1.1|srcPort=61661|srcMAC=00:00:00:00:00:00|dstIP=10.248.0.10|dstPort=53|dstService=dns|dstIF=pvpn0|rule=V2L-DNS-IN|info=Balanced Session Idle Timeout|srcNAT=10.248.11.215|dstNAT=127.0.0.1|duration=20|count=1|receivedBytes=444|sentBytes=82|receivedPackets=1|sentPackets=1|user=johba|protocol=|application=|target=|content=|urlcat=

I already have a regex for the first scenario. However, I’d like to have a single regex that would match in both cases, no matter if the filed names are present.

For instance I’d like my regex to match both FWD and type=FWD

  1. I tried with char class first, i.e. (type=)*w+. Con is that, for instance if I have dstService=dns, and the portion of my regex is (dstService=)*w+ the grok filter would match ns only instead of dns
  2. Then I tried with d*s*t*S*e*r*v*i*c*e*=*w+ and this worked. However, I was thinking if there was more elegant way of achieving this goal?