Integration Name

Cisco FTD [cisco_ftd]

Dataset Name

cisco_ftd.log

Integration Version

0.1.0

Agent Version

8.13.4

Agent Output Type

elasticsearch

Elasticsearch Version

8.13.4

OS Version and Architecture

Elasticsearch Service

Software/API Version

No response

Error Message

Provided Grok expressions do not match field value: [Group <GroupPolicy_XXX> User IP <11.22.33.44> AnyConnect parent session started.]

Event Original

<166>: 2024 Aug 07 10:29:42 UTC ccafa9b4-b48a-4156-b3af-de2d35e5f432 : %FTD-auth-6-113039: Group <GroupPolicy_XXX> User <MacBook Pro belonging to bob.intune.xyz.local> IP <11.22.33.44> AnyConnect parent session started.

What did you do?

as documented for udp ingestion

What did you see?

See the grok error message

What did you expect to see?

user name string parsed out correctly

Anything else?

This is similar to previous ticket #10505 . The grok pattern

expects a standard username and fails to match when a string with spaces is used.
See pull request #10635 that also dealt with this issue.

I am only seeing this in logs with angle brackets "<" ">" around the username and think it could be added as an alternative pattern to CISCO_USER, while keeping CISCO_USER