Parsing message with filebeat

Dear all,

I installed filebeat on my server, and it's configured to read the auth.log file.
The information in the auth.log file is sending to ELK.

In Kibana I have a JSON message with a label message. This label is a string like this : "app sshd[27546]: Failed password for root from XXX.XXX.XXX.XXX port 47307 ssh2"

I search on internet and I found this to match the line : %{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:system.auth.hostname} sshd(?:\[%{}\])?: %{DATA:system.auth.ssh.event} %{DATA:system.auth.ssh.method} for (invalid user )?%{DATA:system.auth.user} from %{IPORHOST:system.auth.ip} port %{NUMBER:system.auth.port} ssh2(: %{GREEDYDATA:system.auth.ssh.signature})?

Can you tell me how I can "filter" the message section in my JSON to to have new fields in Kibana and make some Dashboard.

Thanks for your help

Best regards

Hey @Christophe welcome to Elastic Discuss.

Maybe you can consider using ingest node or using logstash

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.