snort logs from Pfsense have tags":["__snort_alert_fast_pattern_mismatch"]}

[tbaror]

Hello ,
I trying to use this nice project for getting snort Pfsense alerts to elasticsearch ,
i wrote a grok filter since i saw that current filters not suite to Pfsense Snort format, which is:
"08/15/19-12:37:53.466898 ,1,2012247,2,\"ET P2P BTWebClient UA uTorrent in use\",TCP,213.123.237.19,26730,178.79.242.19,80,0,Potential Corporate Privacy Violation,1",

the grok filter i use is as follows :
%{SNALTM:[snort_timestamp]}%{SPACE},%{NONNEGINT:[gid]},%{NONNEGINT:[sid]},%{NONNEGINT:[rev]},(?:\\\")%{GREEDYDATA:[signature]}(?:\\\"),%{NOTCURLYCLOSE:[proto]},%{IP:[src_ip]},%{INT:[src_port]},%{IP:[dest_ip]},%{INT:[dest_port]},%{NOTSQRCLOSE:[class]},%{NONNEGINT:[priority]},?.*$

with added pattern SNALTM %{DATE_US}-%{TIME}
with all above i still get in ES the following below message , any idea how to ingest it correctly
please advice
Thanks
{"_id":"fa6MlGwBvXhfIZ9HQqtv","_type":"_doc","_index":"snort-1.0.0-2019.08.15","@timestamp":["2019-08-15T09:11:04.736Z"],"input":{"type":"log"},"@version":"1.0.0","node":{"ipaddr":"212.143.237.1","hostname":"gfn-fw-bsh.gefen.local"},"event":{"message":"08/15/19-12:11:04.639465 ,1,2027397,2,\"ET POLICY Spotify P2P Client\",UDP,213.123.237.147,57621,213.133.237.255,57621,427,Not Suspicious Traffic,3","type":"snort","host":{"name":"gfn-fw-bsh.n.local"}},"log":{"file":{"path":"/var/log/snort/snort_igb15370/alert"}},"tags":["__snort_alert_fast_pattern_mismatch"]}

[robcowart]

Closing all issues as this project has been archived.