Hello,
I have to grok my syslog auth logs from Linux, I have a pattern, but it still nonmatch with the logs, can someone help me to see if there is an error in my gros pattern ?
My filter
filter {
json {
source => "message"
target => ""
}
mutate {
remove_field => ["[message]"]
}
if [event][module] == "system" {
if [fileset][name] == "auth" {
grok {
match => {
"[event][original]" => [
"%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:system.auth.hostname} sshd(?:\\[%{POSINT:system.auth.pid}\\])?: %{DATA:system.auth.ssh.event} %{DATA:system.auth.ssh.method} for (invalid user )?%{DATA:system.auth.user} from %{IPORHOST:system.auth.ip} port %{NUMBER:system.auth.port} ssh2(: %{GREEDYDATA:system.auth.ssh.signature})?",
"%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:system.auth.hostname} sshd(?:\\[%{POSINT:system.auth.pid}\\])?: %{DATA:system.auth.ssh.event} user %{DATA:system.auth.user} from %{IPORHOST:system.auth.ip}"
]
}
add_tag => [ "_grok_system_auth_success" ]
tag_on_failure => [ "_grok_system_auth_nomatch" ]
}
date {
match => [ "[system][auth][timestamp]", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
geoip {
source => "[system][auth][ssh][ip]"
target => "[system][auth][ssh][geoip]"
}
}
}
}
Data in event.original that I want to grok
May 17 11:12:11 scanner sshd[2161]: Failed password for secu from 10.60.22.4 port 50798 ssh2
May 17 11:15:25 scanner sshd[2164]: Accepted password for secu from 10.60.22.4 port 50822 ssh2
May 16 19:19:26 scanner sshd[16153]: Failed password for invalid user seuc from 10.60.22.4 port 52772 ssh2
Thank you for your help