That really helped me, thank you so much.
One more last question about the .conf file.
As i said before, i'd like to create a new field with the logs time, my .con looks like that now:
input {
file {
path => "/var/log/banana/auth.log"
start_position => "beginning"
}
}
filter {
grok {
match => { "message" => "%{MONTH:month} %{MONTHDAY:day} %{TIME:time}"}
}
mutate {
add_field => { "newtimestamp" => "%{MONTH} %{MONTHNUM} %{TIME}"}
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
}
stdout { codec => rubydebug }
}
Once i add the new field, wich is created it's content it's literally they parsing 'code', i mean here you have the JSON output, no errors, it's about quotes i think, is it?
{
"_index": "logstash-2017.11.14",
"_type": "logs",
"_id": "AV-6gGWS1TaAY5OfLJU6",
"_version": 1,
"_score": null,
"_source": {
"path": "/var/log/banana/auth.log",
"@timestamp": "2017-11-14T12:28:17.502Z",
"month": "Sep",
"@version": "1",
"host": "0.0.0.0",
"newtimestamp": "%{MONTH} %{MONTHNUM} %{TIME}",
"time": "21:30:46",
"message": "Sep 22 21:30:46 raspberrypi systemd-logind[565]: New session c2 of user pi.",
"day": "22"
},
"fields": {
"@timestamp": [
1510662497502
]
},
"sort": [
1510662497502
]
}
new timestamp was suposed to be Sep 22 21:30:46.
Thank you so much.