That is not valid grok. Pattern names should be unique in the grok. What you probably mean is something like:
AUTHLOG1 %{NUMBER:timestamp} %{SYSLOGHOST:syslog_host} %{DATA:syslog_program}(?:\[%{POSINT}\])?: %{WORD:login} password for %{USERNAME:username} from %{IP:ip} %{GREEDYDATA} AUTHLOG2 %{NUMBER:timestamp} %{SYSLOGHOST:syslog_host} %{DATA:syslog_program}(?:\[%{POSINT}\])?: %{WORD:login} closed for user %{USERNAME:username} AUTHLOG (?:%{AUTHLOG1}|%{AUTHLOG2}) Simon > On 23 Oct 2017, at 08:53, tkg_cangkul <yuza.ras...@gmail.com> wrote: > > FYI, > > i've trying to using Grok parser metron with multiple pattern in single file > but it doesn't work. this is my sample grok pattern on > /apps/metron/patterns/authlog : > > AUTHLOG %{NUMBER:timestamp} %{SYSLOGHOST:syslog_host} > %{DATA:syslog_program}(?:\[%{POSINT}\])?: %{WORD:login} password for > %{USERNAME:username} from %{IP:ip} %{GREEDYDATA} > AUTHLOG %{NUMBER:timestamp} %{SYSLOGHOST:syslog_host} > %{DATA:syslog_program}(?:\[%{POSINT}\])?: %{WORD:login} closed for user > %{USERNAME:username} > > When the sensor started, the second grok pattern doesn't work. Only first > pattern works. > There is an error message like this on storm logs: > > Caused by: java.lang.RuntimeException: Grok statement produced a null message. > > > On 23/10/17 10:49, tkg_cangkul wrote: >> Hi Wasim, >> >> thx for your reply. >> So it means i should use logstash parser for metron? >> Is there any documentation about use logstash parser for metron? >> I didn't found any documentation about that on metron. >> i just find logstash basic parser but there is no documentation about that. >> >> >> >> On 23/10/17 10:33, Wasim Halani wrote: >>> Hi Youzha, >>> >>> It should be possible to add multiple patterns in a single config file. For >>> reference, you can check out the use of multiple patterns in a repo I >>> maintain [1]. >>> You would find the patterns in [2] useful for your use-case. >>> >>> However, do note that there is a cost to every grok failure [3] - so you >>> need to ensure that your most common event patterns are at the top of the >>> list. >>> >>> As a side-note, if you have any logstash parsers which are not available in >>> the repo, please feel to submit a PR to [4] >>> >>> >>> [1] >>> https://bitbucket.org/networkintelligence/logstash-configs/raw/aae3d61bb6c53beb0678536e2e9b33d7996e2960/cisco-asa.conf >>> [2] >>> https://bitbucket.org/networkintelligence/logstash-configs/raw/aae3d61bb6c53beb0678536e2e9b33d7996e2960/linux-system.conf >>> [3] https://www.elastic.co/blog/do-you-grok-grok >>> [4] https://bitbucket.org/networkintelligence/logstash-configs/ >>> >>> Regards, >>> --- >>> Wasim Halani >>> http://twitter.com/washalsec >>> http://securitythoughts.wordpress.com >>> ---------- >>> To keep silent when you can say something wise and useful is as bad as >>> keeping on propagating foolish and unwise thoughts. -- Imam Ali (p.b.u.h.) >>> >>> On Mon, Oct 23, 2017 at 8:08 AM, Youzha <yuza.ras...@gmail.com> wrote: >>> Hi, is that possible to using multiple pattern grok parser ini 1 pattern >>> file? >>> i’m trying to parsing authlog file in /var/log/secure into metron. the >>> problem is there are different structures of logs inside /var/log/secure. >>> any suggest for this pls? >>> >>> >>> Best Regards, >>> >>> >> >