Hi, i indexed linux secure log via filebeat system module. And the user.name field is duplicated.
Most user.name has two versions. The version that start with a blank and the other version that doesn't.
There are no blank strings with user.name meaning.
Has anyone experienced the same problem? Thanks in advance.
Solved the problem.
Just modify /usr/share/filebeat/module/system/auth/ingest/pipeline.yml.
Added blank after strings invalid user.
Don't forget to add filebeat.overwrite_pipeline: true to filebeat.yml before restart filebeat.
Before:
- grok:
description: Grok specific auth messages.
tag: grok-specific-messages
field: _temp.message
ignore_missing: true
patterns:
- '^%{DATA:system.auth.ssh.event} %{DATA:system.auth.ssh.method} for (invalid user)?%{DATA:user.name} from %{IPORHOST:source.address} port %{NUMBER:source.port:long} ssh2(: %{GREEDYDATA:system.auth.ssh.signature})?'
After:
- grok:
description: Grok specific auth messages.
tag: grok-specific-messages
field: _temp.message
ignore_missing: true
patterns:
- '^%{DATA:system.auth.ssh.event} %{DATA:system.auth.ssh.method} for (invalid user )?%{DATA:user.name} from %{IPORHOST:source.address} port %{NUMBER:source.port:long} ssh2(: %{GREEDYDATA:system.auth.ssh.signature})?'
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.