Hello,
I have the following sample log.
Feb 1 15:30:49 sudo: pam_unix(sudo-i:auth): authentication failure; logname= uid=10050 euid=0 tty=/dev/pts/2 user=test
Feb 1 15:30:50 sudo: pam_sss(sudo-i:auth): authentication success; logname= uid=10050 euid=0 tty=/dev/pts/2
I am using elapsed logstash filter to calculate the time difference. I have it working, however I need the second log to have the field user=test as in first log so that I can use the field in Kibana Visualization.
Any ideas on how this can be achieved?
Thank you.