Regx or plugin suggestion needed


(Jayanth T) #1

I'm new bee to ELK

This is my sshd_log

2018-01-31 00:16:55,831|INFO |sshd-SshServer[e4afa08]-nio2-thread-12|ServerSession | Server session created from /10.52.3.29:43662
2018-01-31 00:16:58,122|INFO |sshd-SshServer[e4afa08]-nio2-thread-4|ServerSession | Server session created from /10.2.1.3:54183
2018-01-31 00:16:58,191|INFO |sshd-SshServer[e4afa08]-nio2-thread-2|ServerSession | Server session created from /10.4.1.9:43666
2018-01-31 00:16:58,560|INFO |sshd-SshServer[e4afa08]-nio2-thread-3|ServerSession | Server session created from /10.27.4.6:4656
2018-01-31 00:16:59,610|WARN |sshd-SshServer[e4afa08]-nio2-thread-4|BackendSshAuth | Authentication failed for jayanth (/10.217.129.93:54183)
2018-01-31 00:17:16,826|ERROR|HTTP-22404|AuthenticationServlet| Unable to authenticate user "thimmaih"

Grok Pattern
indent preformatted text by 4 spaces
match => { "message" => "%{DATESTAMP:timestamp}%{DATA}%{LOGLEVEL}%{DATA}%{NOTSPACE}%{SPACE}%{DATA}%{WORD}%{SPACE}%{WORD}%{SPACE}%{WORD}%{SPACE}%{USER}%{SPACE}%{NOTSPACE:IP}"}

indent preformatted text by 4 spaces

I would expect below output and want to remove the port number and (/). Any plugin/regx is suggested?

{
"fstatus" => "failed",
"uid" => "sdortmun",
"@timestamp" => 2018-01-31T14:19:11.262Z,
"cstatus" => "for",
"IP" => "10.217.129.93",
"@version" => "1",
"host" => "gkvgerrit003.igk.intel.com",
"message" => "2018-01-31 00:16:59,610|WARN |sshd-SshServer[e4afa08]-nio2-thread-4|BackendSshAuth | Authentication failed for sdortmun (/10.217.129.93:54183)",
"timestamp" => "18-01-31 00:16:59,610"
}


(system) #2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.