TTY grok filter needs changed

The current TTY grok filter does not match if does not contain "/dev"
It will not match the secure log on centos.

Jan 24 16:19:36 USOHWC-ESCTL1 sudo: panaman : TTY=pts/1 ; PWD=/home/panaman ; USER=root ; COMMAND=/bin/tail /var/log/secure

If you change the TTY grok filter to the following, it will work:

TTY ((:?)(/dev/)?(pts|tty([pq])?)(\w+)?/?(?:[0-9]+))

Perhaps you can send a pull request for this? Or at least file an issue?

1 Like

I went to go file an issue but it says to post it here

Yes, and I confirm that this (likely) is a bug. Therefore an issue is in order.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.