- if [type] == "auth_log" {
- grok {
- break_on_match => false
- match => [
- "message", "%{SYSLOGBASE} New session %{INT:session_id} of user %{USERNAME:username}.",
- "message", "%{SYSLOGBASE} Invalid user %{USERNAME:username} from %{IP:src_ip}",
- "message", "%{SYSLOGBASE} Accepted publickey for %{USERNAME:username} from %{IP:src_ip}",
- "message", "%{SYSLOGBASE} Connection closed by %{IP:src_ip} \[preauth\]",
- "message", "%{SYSLOGBASE} reverse mapping checking getaddrinfo for %{HOSTNAME:remote_host} \[%{IP:src_ip}\] failed - POSSIBLE BREAK-IN ATTEMPT!",
- "message", "%{SYSLOGPAMSESSION}",
- "message", "%{SYSLOGLINE}"
- ]
- add_field => { "syslog_raw" => "%{message}"}
- overwrite => [ "message" ]
- add_field => { "received_at" => "%{@timestamp}" }
- }
SHARE
TWEET
grok for syslog
a guest
May 30th, 2014
192
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.