hi
i know its elementary but i am stuck at an if statement
with if statement I get grok failure
and without it every thing is fine
I'm using logstash 7.7
indent preformatted text by 4 spaces
```
input {stdin{}}
filter {
if [program] == "sshd" {
grok {
patterns_dir => "${LL_PATTERN_DIR:/etc/logstash/patterns.d}"
match => { "message" => "%{SSH_AUTHFAIL_WRONGCREDS}" }
add_field => { "ssh_authresult" => "fail" "ssh_failreason" =>
"wrong_credentials" }
add_tag => [ "_grok_sshd_success", "matched" ]
}
grok {
patterns_dir => "${LL_PATTERN_DIR:/etc/logstash/patterns.d}"
match => { "message" => "%{SSH_AUTHFAIL_WRONGUSER}" }
add_field => { "ssh_authresult" => "fail" "ssh_failreason" =>
"unknown_user" }
add_tag => [ "_grok_sshd_success", "matched" ]
}
grok {
patterns_dir => "${LL_PATTERN_DIR:/etc/logstash/patterns.d}"
match => { "message" => "%{SSH_AUTH_SUCCESS}" }
add_field => { "ssh_authresult" => "success" }
add_tag => [ "_grok_sshd_success", "matched" ]
}
grok {
patterns_dir => "${LL_PATTERN_DIR:/etc/logstash/patterns.d}"
match => { "message" => "%{SSH_DISCONNECT}" }
add_tag => [ "_grok_sshd_success", "matched", "ssh_disconnect" ]
}
mutate {
remove_tag => [ "matched", "_grokparsefailure" ]
}
geoip {
source => "ssh_client_ip"
}
}
}
output{stdout{codec => rubydebug}}
```
log sample
```
2020-05-24T01:11:11+04:30 ldap sshd[29859]: Accepted publickey for cadmin from 192.168.2.32 port 44192 ssh2: RSA SHA256:ORw82lHe311CAgeD08StZzO31tlRZJcddddddaGx6Kg
```