Dear ALL,
i facing some issue when try to create pattern for ssh auth from file /var/log/secure
this is line i want to create pattern,
Jul 8 18:43:05 masternode sshd[18144]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.1.1.1 user=abc
and this is pattern i create using grok debugger,
%{SYSLOGTIMESTAMP:timestamp} %{HOSTNAME:hostname} sshd(?:\[%{NUMBER:pid}\])?: pam_unix\(sshd:auth\): authentication failure; logname=%{DATA:logname} uid=%{NUMBER:uid} euid=%{NUMBER:euid} tty=%{PROG:tty} ruser=%{DATA:ruser} rhost=%{IPORHOST:rhost}
and how to create file pattern for grok..?
the last line user not match for grok any help really appreciated.
its working now.
i have another question for what add_field and add_tag ...?
this mean add filed in kibana or what..?
need advice.
Thanks