Logstash - OpenSSHd

1. input {
2.     file {
3.         path => [ "/tmp/secure" ]
4.         sincedb_path => "/dev/null"
5.         start_position => "beginning"
6.     }
7. }
8.  
9. filter {
10.     if "Failed" in [message] {
11.         grok {
12.             match => {
13.                 "message" => "%{SYSLOGBASE} %{WORD:system.auth.ssh.event} %{WORD:system.auth.ssh.method} %{WORD} %{WORD} %{WORD} %{USERNAME:system.auth.user} %{WORD} %{IP:system.auth.ssh.ip} %{WORD} %{WORD:system.auth.ssh.port} %{WORD}"
14.             }
15.         }
16.         if "_grokparsefailure" in [tags] {
17.             drop { }
18.         }
19.     }
20.     else if "Accepted" in [message] {
21.         grok {
22.             match => {
23.                 "message" => "%{SYSLOGBASE} %{WORD:system.auth.ssh.event} %{WORD:system.auth.ssh.method} %{WORD} %{USERNAME:system.auth.user} %{WORD} %{IP:system.auth.ssh.ip} %{WORD} %{WORD:system.auth.ssh.port} %{WORD}"
24.             }
25.         }
26.         if "_grokparsefailure" in [tags] {
27.             drop { }
28.         }      
29.     }
30.     else {
31.         drop { }
32.     }
33.     date {
34.             match => [ "timestamp", "MMM  d HH:mm:ss"]
35.             target => "@timestamp"
36.             remove_field => "timestamp"
37.     }  
38. }
39.  
40. output {
41.     file {
42.         path => "/tmp/output.json"
43.         codec => "json_lines"
44.     }
45. }