LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 07-24-2014, 03:38 PM   #1
szboardstretcher
Senior Member
 
Registered: Aug 2006
Location: Detroit, MI
Distribution: GNU/Linux systemd
Posts: 4,278

Rep: Reputation: 1694Reputation: 1694Reputation: 1694Reputation: 1694Reputation: 1694Reputation: 1694Reputation: 1694Reputation: 1694Reputation: 1694Reputation: 1694Reputation: 1694
Logstash filter rule


I need that "server02" from the message into the "host" field. Anyone have a current logstash filter/mutate for that?

Code:
{
       "message" => "Jul 24 16:20:06 server02 sshd[22594]: pam_unix(sshd:session): session opened for user logging by (uid=0)",
      "@version" => "1",
    "@timestamp" => "2014-06-21T20:26:52.402Z",
          "type" => "auth",
          "host" => "log-server.local",
          "path" => "/var/log/remote/server02/auth.log"
}
 
Old 07-25-2014, 12:57 PM   #2
szboardstretcher
Senior Member
 
Registered: Aug 2006
Location: Detroit, MI
Distribution: GNU/Linux systemd
Posts: 4,278

Original Poster
Rep: Reputation: 1694Reputation: 1694Reputation: 1694Reputation: 1694Reputation: 1694Reputation: 1694Reputation: 1694Reputation: 1694Reputation: 1694Reputation: 1694Reputation: 1694
Answer, in logstash config file,..

Code:
filter {
    grok {
        type => "syslog"
        match => [ "message", "%{SYSLOGTIMESTAMP} %{WORD:host} %{GREEDYDATA:syslog_message}" ]
    }
}
Output as desired:
Code:
           "message" => "Jul 24 16:45:07 server02 sshd[10503]: pam_unix(sshd:session): session opened for user logging by (uid=0)",
          "@version" => "1",
        "@timestamp" => "2014-07-25T17:40:00.679Z",
              "host" => [
        [0] "127.0.0.1:46534",
        [1] "server02"
    ],
              "type" => "syslog",
    "syslog_message" => "sshd[10503]: pam_unix(sshd:session): session opened for user logging by (uid=0)"
}
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables -t filter INPUT first rule counter not updating on incoming packet zhjim Linux - Networking 6 09-07-2012 05:38 AM
Need layer 7 filter rule to block .teamviewer tranceash Linux - Security 2 07-27-2009 02:30 PM
Any email clients which can encrypt and then forward emails based on a rule/filter? curtisa Linux - Software 1 02-01-2009 08:03 AM
Problem with Ethereal capture filter rule MS3FGX Linux - Software 3 10-25-2006 11:18 PM
easy color changing in ksirc 1.3.11 using KDE 3.3.2 (filter rule editor/perl script?) SilverDrake Linux - Software 0 05-10-2006 09:14 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 09:10 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration