Dear all,
I installed filebeat on my server, and it's configured to read the auth.log file.
The information in the auth.log file is sending to ELK.
In Kibana I have a JSON message with a label message. This label is a string like this : "app sshd[27546]: Failed password for root from XXX.XXX.XXX.XXX port 47307 ssh2"
I search on internet and I found this to match the line : %{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:system.auth.hostname} sshd(?:\[%{POSINT:system.auth.pid}\])?: %{DATA:system.auth.ssh.event} %{DATA:system.auth.ssh.method} for (invalid user )?%{DATA:system.auth.user} from %{IPORHOST:system.auth.ip} port %{NUMBER:system.auth.port} ssh2(: %{GREEDYDATA:system.auth.ssh.signature})?
Can you tell me how I can "filter" the message section in my JSON to to have new fields in Kibana and make some Dashboard.
Thanks for your help
Best regards