hello
i'm using ELK on my virtual machine centos 7 using vSphere client
i have some logs to visualise /var/log/secure
i've connected my kibana via inginx and its working fine !
i've set this configuration for /etc/logstash/conf.d/sshd.conf
input {
file {
type => "secure_log"
path => "/var/log/secure"
}
}
filter {
include "pattern.txt"
grok {
add_tag => [ "sshd_fail" ]
match => { "message" => "Failed %{WORD:sshd_auth_type} for %{USERNAME:sshd_invalid_user} from %{IP:sshd_client_ip} port %{NUMBER:sshd_port} %{GREEDYDATA:sshd_protocol}" }
}
}
output {
elasticsearch {
index => "sshd_fail-%{+YYYY.MM}"
}
}
and i made a file .txt called pattern where i entred the pattern for my logs
/etc/logstash/pattern/pattern.txt
%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:system.auth.hostname} sshd(?:\[%{POSINT:system.auth.pid}\])?: %{DATA:system.auth.ssh.event} %{DATA:system.auth.ssh.method} for (invalid user )?%{DATA:system.auth.user} from %{IPORHOST:system.auth.ip} port %{NUMBER:system.auth.port} ssh2(: %{GREEDYDATA:system.auth.ssh.signature})?
and i still have nthg