Have the following logstash conf file:
filter {
if [type] == "TACACS_log" {
grok {
match => { "message" => "%{CISCOTIMESTAMP:JsonTimestamp} %{IP:LogonTo} \s* %{USERNAME:User} \s* %{WORD:Port} \s* %{IP:LogonFrom} %{DATA} cmd=%{GREEDYDATA:command}" }
match => { "message" => "%{CISCOTIMESTAMP:JsonTimestamp} %{IP:LogonTo} \s* %{USERNAME:User} %{WORD:Port} %{DATA} cmd=%{GREEDYDATA:command}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{LogonTo}" ]
}
date {
match => [ "CISCOTIMESTAMP", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
The logs are coming in through logstash forwarder and the CISCOTIMESTAMP does not match. Example log file:
Jun 11 11:32:38 192.168.2.49 user tty1 10.1.250.5 stop task_id=176 timezone=EDT service=shell start_time=1434036772 priv-lvl=15 cmd=show running-config
The issue is in the format of the log entry which you can see in the _message field: {"message":"Jun 2 14:43:24\t192.168.2.53\tadmintest\ttty1\t10.1.250.6\tstop\ttask_id=133\ttimezone=EDT\tservice=shell\tstart_time=1433270604\tpriv-lvl=15\tcmd=logging trap warnings ","@version":"1","@timestamp":"2015-06-12T10:14:30.493Z","type":"TACACS_log","host":"ELK","path":"/tmp/tac_plus_acct.log","JsonTimestamp":"Jun 2 14:43:24","LogonTo":"192.168.2.53","User":"admintest","Port":"tty1","LogonFrom":"10.1.250.6","command":"logging trap warnings "}
Several of the fields are tab separated, but not all. The statement that worked is:
match => { "message" => "%{CISCOTIMESTAMP:JsonTimestamp}\s*%{IP:LogonTo}\s*%{USERNAME:User}\s*%{WORD:Port}\s*%{IP:LogonFrom}%{GREEDYDATA}cmd=%{GREEDYDATA:command}" }