Filter out two keywords from similiar lines

expert1 · April 19, 2018, 1:04am

Hi, I'm going to filter out user and result(Failed/error/Accepted) from below lines.

Failed password for root from 172.16.81.178 port 55152 ssh2

Accepted password for root from 172.16.81.178 port 55152 ssh2

Accepted keyboard-interactive/pam for root from 172.16.81.178 port 55199 ssh2

error: PAM: Failure setting user credentials for hongquan from 172.16.232.202

error: PAM: Authentication failure for root from 172.16.81.178

What I expect is:

Failed, root
Accepted,root
error, hongquan
error,root

Actually I did it by writing 2 similiar grok filters, which is pretty ugly.

Thanks.

expert1 · April 20, 2018, 4:40am

seems this works.

//match => [ "message", "%{WORD:method} (.*) for %{USERNAME:user} from %{IP:src_host}" ]

system · May 18, 2018, 4:43am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Grok with conditional patterns and adding a tag Logstash	3	23621	July 6, 2017
GROK not match Logstash	2	271	May 26, 2020
_grokparsefailure problem Logstash	3	362	September 4, 2019
Filter username or email address within space delimited string Logstash	4	319	March 9, 2021
Grok failure even after the fields were filtered out successfully Logstash	5	849	January 8, 2018