Hi Youzha, It should be possible to add multiple patterns in a single config file. For reference, you can check out the use of multiple patterns in a repo I maintain [1]. You would find the patterns in [2] useful for your use-case.
However, do note that there is a cost to every grok failure [3] - so you need to ensure that your most common event patterns are at the top of the list. As a side-note, if you have any logstash parsers which are not available in the repo, please feel to submit a PR to [4] [1] https://bitbucket.org/networkintelligence/logstash-configs/raw/aae3d61bb6c53beb0678536e2e9b33d7996e2960/cisco-asa.conf [2] https://bitbucket.org/networkintelligence/logstash-configs/raw/aae3d61bb6c53beb0678536e2e9b33d7996e2960/linux-system.conf [3] https://www.elastic.co/blog/do-you-grok-grok [4] https://bitbucket.org/networkintelligence/logstash-configs/ Regards, --- Wasim Halani http://twitter.com/washalsec http://securitythoughts.wordpress.com ---------- To keep silent when you can say something wise and useful is as bad as keeping on propagating foolish and unwise thoughts. -- Imam Ali (p.b.u.h.) On Mon, Oct 23, 2017 at 8:08 AM, Youzha <yuza.ras...@gmail.com> wrote: > Hi, is that possible to using multiple pattern grok parser ini 1 pattern > file? > i’m trying to parsing authlog file in /var/log/secure into metron. the > problem is there are different structures of logs inside /var/log/secure. > any suggest for this pls? > > > Best Regards, > >
