This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

grok expression for Sophos syslog

I am having a lot of trouble trying to figure out grok expression for the following message types (coming from a Sophos UTM)

Apr 28 16:57:49 utm-vap-xx.domain.local 2018: 04:28-17:02:05 s-utm-01 httpproxy[52816]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="POST" srcip="10.11.110.5" dstip="216.163.176.36" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="15" request="0xdae2cc00" url="iprep3.t.ctmail.com/.../SpamResolverNG.dll referer="" error="" authtime="0" dnstime="905" cattime="143" avscantime="2275" fullreqtime="238344" device="0" auth="0" ua="Mozilla/4.0 (compatible; Win32; Commtouch Http Client (curl))" exceptions="" category="178" reputation="neutral" categoryname="Internet Services" country="United States" content-type="text/html" sandbox="-"

The problem arises when I want to skip fields or when value pairs contain empty string. For example in Logstash adding something like

()?(srcip={%"IP:SourceIP"})

is causing problems, while these do work in the online grok builder

The goal is to get something like this

Sub
SourceIP
Destination IP
Protocol etc

I am also intending to use the geo-tags in Logstash which I already have working with other sources.

Looking forward to receive some valueable help. Thanks



This thread was automatically locked due to age.