Hi, I have a secure log file with the following content:
Jan 12 08:28:24 name sshd[11483]: Did not receive identification string from xx.xxx.xxx.xx port xxxxx
Jan 12 08:38:54 name proftpd[12559]: xx.xxx.xxx.xx (xx.xxx.xxx.xx[xx.xxx.xxx.xx]) - USER word: no such user found from xx.xxx.xxx.xx [xx.xxx.xxx.xx] to ::ffff:xx.xxx.xxx.xx:21
Jan 12 10:13:47 name proftpd[24765]: xx.xxx.xxx.xx (xx.xxx.xxx.xx[xx.xxx.xxx.xx]) - USER word (Login failed): Incorrect password
As you can see, there's different kind of lines (not all the same pattern).
I'm trying to write a config file that will only load the lines that contain 'Login failed'. Then, I need the date and time, IP, and inserted username. How do I check the lines for the presence of 'Login failed', and create field names after that, since there are no fields to begin with?
What I have now:
input {
file {
path => /home/name/secure/secure-log"
start_position => "beginning"
sincedb_path => "/dev/null"
}
}
filter {
...
}
output {
elasticsearch {
hosts => "localhost"
index => "secure-logs"
document_type => "secure-logs"
}
stdout {}
}
So I'd like something like:
if 'Login failed' in line:
seperator => " "
columns => ["date", "time", "word", "ip", "ip2", "dash", "user", "username" ....]