Grok and IPv6 firewall log

tomasz · April 27, 2017, 8:02am

Hello.
I am working on ELK (Elasticsearch, Logstash and Kibana). I need to parse IPV6 log from firewall. For IPv4 everything works correctly but for IPv6 not
Log form Mikrotik firewall:

Apr 26 16:17:37 10.10.20.1 firewall,info forward: in:HE-tunnel out:HE-tunnel, proto TCP (SYN), [2607:5300:100::43d]:49176->[ipv6:address]:8080, len 40

Groke pattern:

%{SYSLOGTIMESTAMP:date}%{DATA:LogPrefix}%{DATA:LogChain}: in:%{DATA:src_zone} out:%{DATA:dst_zone}, proto%{DATA:proto}, [%{IP:src_ipv6}]:%{INT:src_port}->[%{IP:dst_ipv6}]:%{INT:dst_port}, len %{INT:length}

Does anyone has grok pattern for IPv6 which works for Mikrotik firewall logs?

pe1chl · April 27, 2017, 10:52am

I don’t know this specific program but often in expressions like that the [ and ] are special and need to be escaped when used as literal characters.
E.g. [ and ]