Parsing message with filebeat

Christophe · April 4, 2019, 9:36am

Dear all,

I installed filebeat on my server, and it's configured to read the auth.log file.
The information in the auth.log file is sending to ELK.

In Kibana I have a JSON message with a label message. This label is a string like this : "app sshd[27546]: Failed password for root from XXX.XXX.XXX.XXX port 47307 ssh2"

I search on internet and I found this to match the line : %{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:system.auth.hostname} sshd(?:\[%{POSINT:system.auth.pid}\])?: %{DATA:system.auth.ssh.event} %{DATA:system.auth.ssh.method} for (invalid user )?%{DATA:system.auth.user} from %{IPORHOST:system.auth.ip} port %{NUMBER:system.auth.port} ssh2(: %{GREEDYDATA:system.auth.ssh.signature})?

Can you tell me how I can "filter" the message section in my JSON to to have new fields in Kibana and make some Dashboard.

Thanks for your help

Best regards

Michal_Pristas · April 5, 2019, 7:10am

Hey @Christophe welcome to Elastic Discuss.

Maybe you can consider using ingest node or using logstash

system · May 3, 2019, 7:10am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.