Grok filter for the logs coming from Nagios

Can someone please assist to write a grok filter for the below raw data captured by tcpdump?
The logs are tagged as "siem" to be forwarded from a Nagios server to our elasticsearch, basically ["siem"] shows end of the each message.

{"message":"<14>2019-11-25T15:27:02.943087+11:00 compute-2201-1210502.domain.tld audispd[39023]: node=compute-2201-1210502.domain.tld type=PATH msg=audit(1574656022.937:25241450): item=0 name="/usr/bin/sudo" inode=54938 dev=fc:02 mode=0104755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL","@Version":"1","@timestamp":"2019-11-25T04:27:02.675Z","type":"syslog","host":"10.5.0.174","tags":["siem"]}{"message":"<85>Nov 25 04:27:00 22rrpcsu0316 sudo: monitor : TTY=unknown ; PWD=/home/monitor ; USER=root ; COMMAND=/sbin/pvs --noheadings -o pv_name,pv_attr","@Version":"1","@timestamp":"2019-11-25T04:27:02.683Z","host":"10.5.0.12","port":38612,"type":"syslog","tags":["siem"]}{"message":"<85>Nov 25 04:27:00 22rrpcsu0316 sudo: monitor : TTY=unknown ; PWD=/home/monitor ; USER=root ; COMMAND=/sbin/vgs --noheadings -o vg_name,vg_attr","@Version":"1","@timestamp":"2019-11-25T04:27:02.683Z","host":"10.5.0.12","port":38612,"type":"syslog","tags":["siem"]}{"message":"<14>2019-11-25T15:27:02.954896+11:00 compute-2201-1210502.domain.tld audispd[39023]: node=compute-2201-1210502.domain.tld type=USER_START msg=audit(1574656022.949:25241451): pid=247906 uid=0 auid=10054 ses=2024952 msg='op=PAM:session_open acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'","@Version":"1","@timestamp":"2019-11-25T04:27:02.683Z","type":"syslog","host":"10.5.0.174","tags":["siem"]}I

@kares

Please use markdown to format your message.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.