I am trying to create an "action" field extraction to grab "permitted/denied" from my Cisco device logs. I can get this "(?i)-INGRESS (?P
EXAMPLE LOGS
Apr 4 13:37:55 XXX-gw 28127310: Apr 4 13:39:26.000:%FMANFP-6-IPACCESSLOGP: F0: fman_fp_image: list GLOBAL-INGRESS denied tcp XXX.XX.9.XXX(53165) -> 132.X.X.X(25), 1 packet
Apr 4 13:37:55 XXX-usr-250.grace.ad.XX.XXX 192461: Apr 4 13:39:26:%SEC-6-IPACCESSLOGS: list 15 permitted XX.16.XX.X 1 packet
Apr 4 13:37:55 XXX-sdp 23211: Apr 4 13:39:25.975:%SEC-6-IPACCESSLOGNP: list NTPPEER denied 0 XXX.XX.2.X -> XXX.XXX.X.XX,1 packet
This is tricky but does have some consistency. The string ": list (some word) is consistent so I would try this for the regex:
(?i):\s+list\s+\S+\s+(?<fieldname>[^ ]+)\s+
Hope that helps.