Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- input {
- file {
- path => [ "/tmp/secure" ]
- sincedb_path => "/dev/null"
- start_position => "beginning"
- }
- }
- filter {
- if "Failed" in [message] {
- grok {
- match => {
- "message" => "%{SYSLOGBASE} %{WORD:system.auth.ssh.event} %{WORD:system.auth.ssh.method} %{WORD} %{WORD} %{WORD} %{USERNAME:system.auth.user} %{WORD} %{IP:system.auth.ssh.ip} %{WORD} %{WORD:system.auth.ssh.port} %{WORD}"
- }
- }
- if "_grokparsefailure" in [tags] {
- drop { }
- }
- }
- else if "Accepted" in [message] {
- grok {
- match => {
- "message" => "%{SYSLOGBASE} %{WORD:system.auth.ssh.event} %{WORD:system.auth.ssh.method} %{WORD} %{USERNAME:system.auth.user} %{WORD} %{IP:system.auth.ssh.ip} %{WORD} %{WORD:system.auth.ssh.port} %{WORD}"
- }
- }
- if "_grokparsefailure" in [tags] {
- drop { }
- }
- }
- else {
- drop { }
- }
- date {
- match => [ "timestamp", "MMM d HH:mm:ss"]
- target => "@timestamp"
- remove_field => "timestamp"
- }
- }
- output {
- file {
- path => "/tmp/output.json"
- codec => "json_lines"
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement