Hi, I am trying to grok below log with logstash and fetch the term "Received disconnect". (My ELK Version is still 5.1.1 at the moment)
Nov 27 00:00:00 ubuntu sshd[123456]: Received disconnect from 111.111.111.111: 14: Unable to authenticate using any of the configured authentication methods. [preauth]
By current config I can take the words out separately, but cannot merge them as one term (The word after the term is different so I cannot use it as the end of a GREEDYDATA):
%{SYSLOGTIMESTAMP:timestamp} %{HOSTNAME:host_target} %{WORD:conn_type}[%{BASE10NUM}]: %{WORD:result} %{WORD:result} %{GREEDYDATA} from %{IP:source_ip}
And I fail to find any keywords used for multiple words. So I wonder if someone have solved similar situation?
Thanks a lot.