How to parse IP address from file /var/log/syslog in Logstash 10-syslog-conf

lewis151 · November 27, 2015, 1:16pm

Logstash config

filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{HOSTNAME:host_target} logname=%{USERNAME:logname}  sshd\[BASE10NUM}\]:  Failed password for (invalid user |)%{USERNAME:username} from %{IP:src_ip} port %{BASE10NUM:port} ssh2 %{SYSLOGHOST:syslog_hostname} tty=%{TTY:tty} ruser=%{USERNAME:ruser} rhost=(?:%{HOSTNAME:remote_host}|\s*) user=%{USERNAME:user} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
   add_field => [ "src_ip", "%{clientip}" ]
    }

filter {

if [type] == "syslog" {

grok {

}

grok {

type => "syslog"

match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{HOSTNAME:host_target} logname=%{USERNAME:logname} uid=%{BASE10NUM:uid} euid=%{BASE10NUM:euid} tty=%{TTY:tty} ruser=%{USERNAME:ruser} rhost=(?:%{HOSTNAME:remote_host}|\s*) user=%{USERNAME:user}" }

add_tag => "sudo_auth_failure"

#}

grok {

type => "syslog"

pattern => "%{SYSLOGTIMESTAMP:timestamp} %{HOSTNAME:host_target} sshd[%{BASE10NUM}]: Failed password for %{USERNAME:username} from %{IP:src_ip} port %{BASE10NUM:port} ssh2"

add_tag => "ssh_failed_login"

#}

grok {

type => "syslog"

pattern => "%{SYSLOGTIMESTAMP:timestamp} %{HOSTNAME:host_target} sshd[%{BASE10NUM}]: Accepted password for %{USERNAME:username} from %{IP:src_ip} port %{BASE10NUM:port} ssh2"

add_tag => "ssh_sucessful_login"

#}

    syslog_pri { }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }
}

Topic		Replies	Views
Logstash parsing syslog Logstash	8	3614	July 6, 2017
How to add ip (any specific parameters) to filter in logstash? Logstash	6	870	July 6, 2017
Completely lost Logstash	6	1161	July 6, 2017
Not able to see the source ip field in the auth.log on kibana dashboard Logstash	8	3237	February 21, 2017
I really need help with standard rsyslog parsing Logstash	12	2568	July 6, 2017

How to parse IP address from file /var/log/syslog in Logstash 10-syslog-conf

filter {

if [type] == "syslog" {

grok {

}

grok {

type => "syslog"

match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{HOSTNAME:host_target} logname=%{USERNAME:logname} uid=%{BASE10NUM:uid} euid=%{BASE10NUM:euid} tty=%{TTY:tty} ruser=%{USERNAME:ruser} rhost=(?:%{HOSTNAME:remote_host}|\s*) user=%{USERNAME:user}" }

add_tag => "sudo_auth_failure"

grok {

type => "syslog"

pattern => "%{SYSLOGTIMESTAMP:timestamp} %{HOSTNAME:host_target} sshd[%{BASE10NUM}]: Failed password for %{USERNAME:username} from %{IP:src_ip} port %{BASE10NUM:port} ssh2"

add_tag => "ssh_failed_login"

grok {

type => "syslog"

pattern => "%{SYSLOGTIMESTAMP:timestamp} %{HOSTNAME:host_target} sshd[%{BASE10NUM}]: Accepted password for %{USERNAME:username} from %{IP:src_ip} port %{BASE10NUM:port} ssh2"

add_tag => "ssh_sucessful_login"

Related topics