Config file that checks conditions before naming fields

Hi, I have a secure log file with the following content:

Jan 12 08:28:24 name sshd[11483]: Did not receive identification string from xx.xxx.xxx.xx port xxxxx
Jan 12 08:38:54 name proftpd[12559]: xx.xxx.xxx.xx (xx.xxx.xxx.xx[xx.xxx.xxx.xx]) - USER word: no such user found from xx.xxx.xxx.xx [xx.xxx.xxx.xx] to ::ffff:xx.xxx.xxx.xx:21
Jan 12 10:13:47 name proftpd[24765]: xx.xxx.xxx.xx (xx.xxx.xxx.xx[xx.xxx.xxx.xx]) - USER word (Login failed): Incorrect password

As you can see, there's different kind of lines (not all the same pattern).
I'm trying to write a config file that will only load the lines that contain 'Login failed'. Then, I need the date and time, IP, and inserted username. How do I check the lines for the presence of 'Login failed', and create field names after that, since there are no fields to begin with?

What I have now:

input {
    file {
        path => /home/name/secure/secure-log"
        start_position => "beginning" 
        sincedb_path => "/dev/null"
        }
}

filter {
  ...
}

output {
    elasticsearch {
        hosts => "localhost"
        index => "secure-logs"
        document_type => "secure-logs"
     }
     stdout {}   
}

So I'd like something like:

if 'Login failed' in line:
    seperator => " "
    columns => ["date", "time", "word", "ip", "ip2", "dash", "user", "username" ....]

You can do a substring match using

if "Login failed" in [message] {
    ...
}

But what is [message]? cause there are no specific fields I can look for since there are no fields to begin with. I also can't create fields before conditioning because every line has a different pattern.

A file input will read each line from the file and for each line it creates an event with the text of the line in the [message] field.

Hmm I'm not sure what you mean. Could you show an example?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.