The current TTY grok filter does not match if does not contain "/dev"
It will not match the secure log on centos.
Jan 24 16:19:36 USOHWC-ESCTL1 sudo: panaman : TTY=pts/1 ; PWD=/home/panaman ; USER=root ; COMMAND=/bin/tail /var/log/secureIf you change the TTY grok filter to the following, it will work:
TTY ((:?)(/dev/)?(pts|tty([pq])?)(\w+)?/?(?:[0-9]+))Perhaps you can send a pull request for this? Or at least file an issue?
I went to go file an issue but it says to post it here
Yes, and I confirm that this (likely) is a bug. Therefore an issue is in order.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.