Hello,
I try to grok a tacacs authentification log file from tac plus.
Ex of log line :
2020-04-09 16:13:26 +0200 10.2.0.163 test tty2 8.8.8.8 shell login succeeded
This is my filter :
filter {
if [type] == "Tacacs" {
if [log][file][path] == "/var/log/tac_plus/authentication.log" {
grok {
match => { "message" => "%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{HOUR}:%{MINUTE}:%{SECOND} \+0200 %{IP:destination.ip} %{USER:user.name}%{SPACE}(%{NOTSPACE}%{SPACE})?%{IP:source.ip} shell login %{WORD:tacacs.outcome}(%{GREEDYDATA})?" }
}
if [tacacs.outcome] == "succeeded" {
mutate {
add_field => { "event.outcome" => "success" }
}
} else {
mutate {
add_field => { "event.outcome" => "failure" }
}
}
mutate {
add_field => { "event.category" => "authentication" }
}
}
}
}
I don't know why but I get value as array:
"destination.ip": [
"10.2.0.163",
"10.2.0.163"
],
"event.outcome": [
"success",
"failure"
],
"event.category": [
"authentication",
"authentication"
],
"source.ip": [
"8.8.8.8",
"8.8.8.8"
],
Can you help me to understand where is my problem ?
Thank you for your help