[SOLVED] Logstash filter rule

szboardstretcher · 07-24-2014, 03:38 PM

I need that "server02" from the message into the "host" field. Anyone have a current logstash filter/mutate for that?

Code:

{
       "message" => "Jul 24 16:20:06 server02 sshd[22594]: pam_unix(sshd:session): session opened for user logging by (uid=0)",
      "@version" => "1",
    "@timestamp" => "2014-06-21T20:26:52.402Z",
          "type" => "auth",
          "host" => "log-server.local",
          "path" => "/var/log/remote/server02/auth.log"
}

szboardstretcher · 07-25-2014, 12:57 PM

Answer, in logstash config file,..

Code:

filter {
    grok {
        type => "syslog"
        match => [ "message", "%{SYSLOGTIMESTAMP} %{WORD:host} %{GREEDYDATA:syslog_message}" ]
    }
}

Output as desired:

Code:

           "message" => "Jul 24 16:45:07 server02 sshd[10503]: pam_unix(sshd:session): session opened for user logging by (uid=0)",
          "@version" => "1",
        "@timestamp" => "2014-07-25T17:40:00.679Z",
              "host" => [
        [0] "127.0.0.1:46534",
        [1] "server02"
    ],
              "type" => "syslog",
    "syslog_message" => "sshd[10503]: pam_unix(sshd:session): session opened for user logging by (uid=0)"
}