Help with logstash output

PJss · July 6, 2022, 12:46pm

Hello I'm getting ELK running node in command, that i don't configure, and this string below goes to arcsight:

2022-07-04T12:50:30.046Z {name=TST-FT13} Jul 4 15:50:29 TST-FT13 sshd[1872]: Accepted keyboard-interactive/pam for root from 192.168.11.11 port 58293 ssh2

Now they ask me to remove part that i marked with bold. I`m trying some remove_field variants in filter config, but it not help, please help to find solution.

           udp {
              id => "arcsight_line"
              host => "192.168.99.99"
              port => 714
              codec => "line"
              }

Rios · July 6, 2022, 1:51pm

What are you using to parse this line? Grok?

PJss · July 7, 2022, 8:13am

Hello again, I manage to get some progress, I removed unwanted date and host info with this filter:

filter {

  clone {
    clones => ["cloned"]
  }

  if [type] == 'cloned' {
    mutate {
      add_field => { "[@metadata][type]" => "cloned" }
    remove_field => [ "host", "@timestamp" ]
    }
}

but, now I got these sign in output, can anybody say how to remove bolded part

%{host} Jul 7 10:52:15 PC-30PU sudo: pam_unix(sudo:auth): conversation failed

PJss · July 7, 2022, 12:03pm

Solved my problem with this strings.

    mutate {
      add_field => { "[@metadata][type]" => "cloned" }
      replace => { "host" => "" }
    remove_field => [ "@timestamp" ]

system · August 4, 2022, 12:04pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.