I'm sorry, I made the mistake of assuming that your messages had the format that you showed in your original question. You can change the dissect
dissect { mapping => { "message" => "<%{}>%{[@metadata][ts]} %{} %{[@metadata][program]}: ...
to fix the _dissectfailure issues.
Not sure what you mean by this. My code modifies the "session closed" message to include details from the "Accepted password for test_user" message. If you only want those two message kept you could change
if [@metadata][restOfLine] =~ /Accepted .* for \w+ from/ {
....
} else if [@metadata][restOfLine] =~ /session closed/ {
....
}
to
if [@metadata][restOfLine] =~ /Accepted .* for \w+ from/ {
....
} else if [@metadata][restOfLine] =~ /session closed/ {
....
} else {
drop {}
}
I cannot see a use case where I would want that.