Aggregate secure/sshd syslog event based on selected events

Badger · March 23, 2023, 1:34am

That is even simpler

dissect { mapping => { "message" => "%{[@metadata][ts]} %{} %{[@metadata][program]}: %{[@metadata][restOfLine]}" } }
date { match => [ "[@metadata][ts]", "ISO8601" ] }
if [@metadata][restOfLine] =~ /Accepted .* for \w+ from/ {
    aggregate {
        task_id => "%{[@metadata][program]}"
        map_action => "create"
        code => '
            begin
                m = event.get("message").match(/Accepted .* for \w+ from (.*) port (\d+) /)
                map["sourceIp"] = m[1]
                map["sourcePort"] = m[2]
            rescue
            end
        '
    }
} else if [@metadata][restOfLine] =~ /session closed/ {
    aggregate {
        map_action => "update"
        end_of_task => true
        timeout => 120
        task_id => "%{[@metadata][program]}"
        code => '
            sourceIp =  map["sourceIp"]
            sourcePort = map["sourcePort"]
            event.set("message", event.get("message") + " from #{sourceIp} port #{sourcePort}")
        '
    }
}

Topic		Replies	Views
Logstash Filtering client hostname Logstash	1	303	September 13, 2019
How to filter out kernel messages by logstash? Logstash	4	653	January 11, 2019
Mantain source IP TCP Output Logstash	7	1451	May 15, 2022
Syslog filter for IP Logstash	4	841	March 7, 2021
Logstash parsing syslog Logstash	8	3520	July 6, 2017

Aggregate secure/sshd syslog event based on selected events

Related topics