TTY grok filter needs changed

panaman · January 24, 2017, 4:21pm

The current TTY grok filter does not match if does not contain "/dev"
It will not match the secure log on centos.

Jan 24 16:19:36 USOHWC-ESCTL1 sudo: panaman : TTY=pts/1 ; PWD=/home/panaman ; USER=root ; COMMAND=/bin/tail /var/log/secure

If you change the TTY grok filter to the following, it will work:

TTY ((:?)(/dev/)?(pts|tty([pq])?)(\w+)?/?(?:[0-9]+))

magnusbaeck · January 24, 2017, 8:12pm

Perhaps you can send a pull request for this? Or at least file an issue?

panaman · January 31, 2017, 9:49pm

I went to go file an issue but it says to post it here

magnusbaeck · February 1, 2017, 6:59am

Yes, and I confirm that this (likely) is a bug. Therefore an issue is in order.

Topic		Replies	Views
Grok pattern(s) working in debugger but not used in logstash? Logstash	15	1566	July 6, 2021
Logstash grok pattern not working even though testers say it should Logstash	5	3180	July 6, 2017
Grok Pattern works fine in Debugger but in the Logtstash Logstash	4	348	February 5, 2020
Grokking the Linux authorization logs Logstash	4	3658	November 19, 2017
Grok filter not working (but ok in herokuapp). It even prints nothing in the output Logstash	1	441	December 27, 2017