I am facing some trouble to forward the logs from rsyslog to logstash i wrote this grok filter but it is not working.maybe the problem is that, server is writing the all logs in a single line.
(?<AUDIt_LOG>[(0-9A-U]{0,4})(?<DATE>[0-9A-F]{8})%{INT:Log_Code}(?<Type>[a-zA-Z]{0,5})%{NOTSPACE:ServiceName} %{SPACE} %{NOTSPACE:Host} %{SPACE} %{WORD:Bank}&&%{WORD:BANK2}%{SPACE} %{WORD:USERNAME}
please follow this link for sample log. https://drive.google.com/open?id=0Bx8yrs4bWFFjTFlpTkJhTl9SMHM
You should have each log per line for sure. Also you could use the Grok debugger to make sure that logs get parsed properly.