Attempting to use a syslog pattern to parse ubuntu logs for building auth reports but having issues with syslog-filter.conf file. Below are the config files and error message:
Error message:
[2017-10-18T20:34:18,093][INFO ][logstash.modules.scaffold] Initializing module {:module_name=>"fb_apache", :directory=>"/usr/share/logstash/modules/fb_apache/configuration"}
[2017-10-18T20:34:18,095][INFO ][logstash.modules.scaffold] Initializing module {:module_name=>"netflow", :directory=>"/usr/share/logstash/modules/netflow/configuration"}
[2017-10-18T20:34:18,278][ERROR][logstash.agent ] Cannot create pipeline {:reason=>"Expected one of #, => at line 20, column 356 (byte 690) after filter {\n if [document_type] == "syslog" {\n grok {\n match => {"%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:system.auth.hostname} sshd(?:\\[%{POSINT:system.auth.pid}\\])?: %{DATA:system.auth.ssh.event} %{DATA:system.auth.ssh.method} for (invalid user )?%{DATA:system.auth.user} from %{IPORHOST:system.auth.ip} port %{NUMBER:system.auth.port} ssh2(: %{GREEDYDATA:system.auth.ssh.signature})?""}
Syslog-filter.conf(installed on logstash at /etc/logstash/conf.d/syslog-filter.conf):
filter {
if [document_type] == "syslog" {
grok {
match => {"%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:system.auth.hostname} sshd(?:\[%{POSINT:system.auth.pid}\])?: %{DATA:system.auth.ssh.event} %{DATA:system.auth.ssh.method} for (invalid user )?%{DATA:system.auth.user} from %{IPORHOST:system.auth.ip} port %{NUMBER:system.auth.port} ssh2(: %{GREEDYDATA:system.auth.ssh.signature})?"}
}
}
}
Filebeat.yml(from ubuntu host):
#=========================== Filebeat prospectors =============================
filebeat.prospectors:
input_type: log
#Paths that should be crawled and fetched. Glob based paths.
paths:
- /var/syslog/home/ids/removed.ip/*.log
exclude_files: [".gz$"]paths:
- /var/log/auth.log
document_type: syslog
fields:
client: removed
fields_under_root: true#----------------------------- Logstash output --------------------------------
output.logstash:
#The Logstash hosts
hosts: ["removed.ip.:5044"]
#loadbalance: true
bulk_max_size: 2048
#ssl.certificate_authorities: ["/etc/filebeat/logstash.crt"]
template.name: "filebeat"
template.path: "filebeat.template.json"
template.overwrite: false
index: removed
I've tried hunting down the line and column but I don't know what should be changed. Thanks in advance for any help.