Pattern for SSH auth not match

Dear ALL,

i facing some issue when try to create pattern for ssh auth from file /var/log/secure
this is line i want to create pattern,
Jul 8 18:43:05 masternode sshd[18144]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost= user=abc

and this is pattern i create using grok debugger,
%{SYSLOGTIMESTAMP:timestamp} %{HOSTNAME:hostname} sshd(?:\[%{NUMBER:pid}\])?: pam_unix\(sshd:auth\): authentication failure; logname=%{DATA:logname} uid=%{NUMBER:uid} euid=%{NUMBER:euid} tty=%{PROG:tty} ruser=%{DATA:ruser} rhost=%{IPORHOST:rhost}

and how to create file pattern for grok..?

the last line user not match for grok any help really appreciated.

its working now.

i have another question for what add_field and add_tag ...?
this mean add filed in kibana or what..?

need advice.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.