Match logs without junos@ip

[ernst-s]

Change grok pattern to match SRX logs which don't containt the junos@ip before the other fields. Prevents stripping of the first field.

• Enhancement

What does this PR do?

Changes grok pattern to match both styles of logs.
Current pattern removes the first field of the logs without junos@IP.
See example below for both types of logs:

Example recent branch SRX:

<14>1 2023-01-26T09:37:51.184+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_CREATE [source-address="10.0.0.1" source-port="594" destination-address="67.43.156.13" destination-port="10400" connection-tag="0" service-name="icmp" nat-source-address="10.0.0.1" nat-source-port="594" nat-destination-address="67.43.156.13" nat-destination-port="10400" nat-connection-tag="0" src-nat-rule-type="N/A" src-nat-rule-name="N/A" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="1" policy-name="vpn_trust_permit-all" source-zone-name="vpn" destination-zone-name="trust" session-id-32="6093" username="N/A" roles="N/A" packet-incoming-interface="st0.0" application="UNKNOWN" nested-application="UNKNOWN" encrypted="UNKNOWN" application-category="N/A" application-sub-category="N/A" application-risk="1" application-characteristics="N/A"]

Currently correctly parsed format:
<14>1 2019-11-14T09:37:51.184+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_CREATE [junos@67.43.156.15 source-address="10.0.0.1" source-port="594" destination-address="67.43.156.13" destination-port="10400" connection-tag="0" service-name="icmp" nat-source-address="10.0.0.1" nat-source-port="594" nat-destination-address="67.43.156.13" nat-destination-port="10400" nat-connection-tag="0" src-nat-rule-type="N/A" src-nat-rule-name="N/A" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="1" policy-name="vpn_trust_permit-all" source-zone-name="vpn" destination-zone-name="trust" session-id-32="6093" username="N/A" roles="N/A" packet-incoming-interface="st0.0" application="UNKNOWN" nested-application="UNKNOWN" encrypted="UNKNOWN" application-category="N/A" application-sub-category="N/A" application-risk="1" application-characteristics="N/A"]

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.

[cla-checker-service]

💚 CLA has been signed

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2023-02-03T05:53:22.562+0000

• Duration: 16 min 4 sec

Test stats 🧪

Test	Results
Failed	0
Passed	13
Skipped	0
Total	13

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[kcreddy]

Hey @ernst-s
Could you please sign the CLA and make following changes to the PR:

1. Add changelog.yml entry and update version in manifest.yml
2. Add your test log sample to this file and run package tests

[ernst-s]

I signed the CLA. (and used the correct e-mail for the commit )

[kcreddy]

/test

[elasticmachine]

🌐 Coverage report

Name	Metrics % (covered/total)	Diff
Packages	100.0% (1/1)	💚
Files	100.0% (7/7)	💚 2.463
Classes	100.0% (7/7)	💚 2.463
Methods	100.0% (50/50)	💚 8.603
Lines	70.799% (1525/2154)	👎 -21.409
Conditionals	100.0% (0/0)	💚

[kcreddy]

/test

[kcreddy]

LGTM

[elasticmachine]

Package juniper_srx - 1.9.0 containing this change is available at https://epr.elastic.co/search?package=juniper_srx