-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathlogstash.conf
More file actions
40 lines (34 loc) · 804 Bytes
/
logstash.conf
File metadata and controls
40 lines (34 loc) · 804 Bytes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
input {
beats {
port => 5044
}
}
filter {
grok {
match => {
"message" => "%{SYSLOGTIMESTAMP:timestamp} %{HOSTNAME:hostname} sshd\[%{NUMBER:pid}\]: %{WORD:statut} %{WORD:auth_method} for %{USERNAME:user} from %{IP:IP} port %{NUMBER:port} %{WORD:protocol}"
}
overwrite => ["message"]
}
date {
match => ["timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss"]
target => "@timestamp"
}
mutate {
remove_field => ["@version", "host", "agent", "ecs", "input", "log", "event", "timestamp"]
}
geoip {
source => "IP"
target => "geoip"
fields => ["city_name", "country_name", "location"]
}
}
output {
elasticsearch {
hosts => ["http://elasticsearch:9200"]
index => "raw-ssh-logs-%{+YYYY.MM.dd}"
}
stdout {
codec => rubydebug
}
}