Parsing message with filebeat

Christophe · April 4, 2019, 9:36am

Dear all,

I installed filebeat on my server, and it's configured to read the auth.log file.
The information in the auth.log file is sending to ELK.

In Kibana I have a JSON message with a label message. This label is a string like this : "app sshd[27546]: Failed password for root from XXX.XXX.XXX.XXX port 47307 ssh2"

I search on internet and I found this to match the line : %{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:system.auth.hostname} sshd(?:\[%{POSINT:system.auth.pid}\])?: %{DATA:system.auth.ssh.event} %{DATA:system.auth.ssh.method} for (invalid user )?%{DATA:system.auth.user} from %{IPORHOST:system.auth.ip} port %{NUMBER:system.auth.port} ssh2(: %{GREEDYDATA:system.auth.ssh.signature})?

Can you tell me how I can "filter" the message section in my JSON to to have new fields in Kibana and make some Dashboard.

Thanks for your help

Best regards

Michal_Pristas · April 5, 2019, 7:10am

Hey @Christophe welcome to Elastic Discuss.

Maybe you can consider using ingest node or using logstash

Topic		Replies	Views
Kibana Customize Message Beats filebeat	2	892	January 11, 2018
Create new Fields to Filter by Beats filebeat	3	417	September 10, 2019
Filebeat shipping incomplete logs Beats filebeat	3	732	August 20, 2019
Lost data in kibana but show in syslog logstash Logstash	12	987	August 14, 2021
Filebeat send json format log, kibana can't recognize filed Beats filebeat	3	2519	April 9, 2019

Parsing message with filebeat

Related topics