regexlogstashregex-grouplogstash-grok

Regex (grok) - create general pattern for log which occurs but don't have to


I am sorry for enigmatic topic title, but I did not know how to put it correctly. These are log types:

{vpnclient} Client[10.10.10.10:54576](11764): sending R_KEYCHANGE message

{vpnclient} Client[10.10.10.10:54576](16031): sending R_IPCONFIG message - client IP = 172.11.11.11/255.255.255.0, CEP = 3600 s, DNS = 172.11.1.101, 172.11.1.102

And this is my grok pattern:

^{vpnclient} %{WORD}\[%{IP:[client][ip]}:%{NUMBER:[source][port]}\]\(%{INT:[process][pid]}\): %{GREEDYDATA:message} (:?%{GREEDYDATA:kv_vpn_message})

What i want to do is forward log after hyphen (so - client IP) to kv filter. My problem is - this type of log does not occur always, so i want to wrap the whole grok pattern, so it matches until %{GREEDYDATA:message} and also %{GREEDYDATA:kv_vpn_message}, but only when it occurs.


Solution

  • You can use

    ^{vpnclient} %{WORD}\[%{IP:[client][ip]}:%{NUMBER:[source][port]}\]\(%{INT:[process][pid]}\): %{DATA:message}(?: - %{GREEDYDATA:kv_vpn_message})?$
    

    There are several changes: