Hello
I am very new to ELK and I am stuck at extracting fields.Below is the sample data
Dec 9 06:36:01 s-login-01 CRON[2436102]: pam_unix(cron:session): session closed for user mXXt
Dec 9 06:34:07 s-login-01 sshd[2424671]: Disconnected from user sw 10.xx.1x.xx port 4000
Dec 9 06:34:05 s-login-01 systemd-logind[2405]: Session 20923 logged out. Waiting for processes to exit.
I have the above sample data I want to know how to write the .conf file for this .I tried using the below .conf but It did not extract the fields.
input {
file {
path => "/../syslog.log"
type => "syslog"
start_position => beginning
sincedb_path => "/dev/null"
}
}
filter {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:timestamp}%{SPACE}%{NOTSPACE:HOST}%{SPACE}%{NOTSPACE:PROCESS}\[%{NUMBER:PID}\]\:%{GREEDYDATA:activity}" }
match => { "message" => "%{SYSLOGTIMESTAMP:timestamp}%{SPACE}%{NOTSPACE:HOST}%{SPACE}%{NOTSPACE:PROCESS}\[%{NUMBER:PID}\]\:%{GREEDYDATA:activity}.?*%{WORD:User}" }
match => { "message" => "%{SYSLOGTIMESTAMP:timestamp}%{SPACE}%{NOTSPACE:HOST}%{SPACE}%{NOTSPACE:PROCESS}\[%{NUMBER:PID}\]\:%{GREEDYDATA:activity}.?*%{WORD:User}.?*%{IP:IP}.?*%{NUMBER:Port}" }
match => { "message" => "%{SYSLOGTIMESTAMP:timestamp}%{SPACE}%{NOTSPACE:HOST}%{SPACE}%{NOTSPACE:PROCESS}\[%{NUMBER:PID}\]\:%{GREEDYDATA:activity}.?*%{NUMBER:Session_ID}" }
}
}
output {
Elasticsearch {
hosts => ["localhost:9200"]
index => "sample_"
}
}