Grok assigns the wrong names to captures under some conditions

[heymatthew]

Description:
Composing grok patterns that share named captures will result in names to bind to the wrong capture in the context of the composition.

Reproduction steps:
Setup the following patterns file (/etc/logstash/patterns/general/test-patterns)

SSH_KEYFILE_ERROR (?<tags>error): (?<failure>Could not load host key): %{PATH:keyfile}
SSH_PASSWORD_FAIL (?<failure>Failed password) for %{USER:username} from %{IPORHOST:clientip} port %{INT:port} %{WORD:protocal}
AUTH_SSH          (%{SSH_KEYFILE_ERROR}|%{SSH_PASSWORD_FAIL})

Run the patterns file using the following logstash config

input {
    generator {
        count   => 1
        message => "Nov 14 14:50:23 puppet sshd[36930]: Failed password for magicaluser from 127.0.0.1 port 43333 ssh2"
    }
}

output {
    stdout { codec => "rubydebug" }
}

filter {
    grok {
        patterns_dir => '/etc/logstash/patterns/general/test-patterns'
        match => [ "message", "%{AUTH_SSH}" ]
    }
}

Will print the following to standard out:

{
       "message" => "Nov 14 14:50:23 puppet sshd[36930]: Failed password for magicaluser from 127.0.0.1 port 43333 ssh2",
      "@version" => "1",
    "@timestamp" => "2014-11-14T03:16:26.831Z",
          "host" => "1051a1523d6e",
      "sequence" => 0,
      "username" => "Failed password",
      "clientip" => "magicaluser",
      "protocal" => "43333"
}

Expected output:

• A field should exist called failure which captures the text 'Failed password'
• The field username should contain the text 'magicaluser'

[jordansissel]

For Logstash 1.5.0, we've moved all plugins to individual repositories, so I have moved this issue to logstash-plugins/logstash-filter-grok#29. Let's continue the discussion there! :)