I am parsing nginx error logs using logstash 1.2.2. In order to simplify the configuration I put several patterns into a single grok filter. This doesn't work if it matches multiple times. In this case only the first match is reported even if the option break_on_match is set to false.
This is my example configuration. The first grok filter is working fine, the second grok filter returns only the first match which is "server", the third filter returns naxsi without any problems...
So my patterns are doing ok... only the break_on_match function isn't working as designed.
I believe that "break_on_match" only works within a single grok filter, not across all of them.
If you want that kind of functionality, I'd use tags.
Ok but even within a single grok filter this doesn't work:
This example creates only modsec_tag = "WEB_ATTACK/SQL_INJECTION" instead of modsec_tag = [ "WEB_ATTACK/SQL_INJECTION", "WASCTC/WASC-19", ...]
Right now this is my workaround: