Hi all,
I am trying to parse a log message. The original log looks like this:
Jul 10 08:51:10 prometheus sshd[19074]: Accepted password for my_user from 1.1.1.1 port 1111 ssh2
My filebeat conf is bellow:
---
filebeat.inputs:
- type: filestream
id: default-filestream
paths:
- ingest_data/*.log
- /var/log/auth.log
filebeat.autodiscover:
providers:
- type: docker
hints.enabled: true
processors:
- add_docker_metadata: null
- drop_event:
when:
not.contains:
message: Accepted
- dissect:
tokenizer: "%{} %{} %{} prometheus sshd[%{pid|integer}]: Accepted password for %{service.user} from %{source.ip} port %{source.port} ssh2"
field: "message"
target_prefix: ""
overwrite_keys: true
setup.kibana:
host: ${KIBANA_HOSTS}
username: ${ELASTIC_USER}
password: ${ELASTIC_PASSWORD}
output.elasticsearch:
hosts: ${ELASTIC_HOSTS}
username: ${ELASTIC_USER}
password: ${ELASTIC_PASSWORD}
ssl.enabled: true
ssl.certificate_authorities: certs/ca/ca.crt
pipeline: geoip-info
I would like to have all the fields for the geoip enrichment.
The geoip is taken from the default processor ==> geoip
Basicity I plan to do the geolocation based on this custom field source.ip
field from the log/message.
What I am doing wrong?