filter { if [type] == "LinuxLog" { grok { #connect SSH match => [ "message", "pam_unix\(sshd:session\): session opened for user %{WORD:auth_username}" ] add_field => { "action" => "login" } add_field => { "connection" => "ssh" } add_tag => "linux_auth" } } } filter { if [type] == "LinuxLog" { grok { #disconnect SSH match => [ "message", "pam_unix\(sshd:session\): session closed for user %{WORD:auth_username}" ] add_field => { "action" => "logout" } add_field => { "connection" => "ssh" } add_tag => "linux_auth" } } } filter { if [type] == "LinuxLog" { grok { #connect TTY match => [ "message", "LOGIN ON %{USERNAME:tty} BY %{WORD:auth_username}" ] add_field => { "action" => "login" } add_field => { "connection" => "tty" } add_tag => "linux_auth" } } } filter { if [type] == "LinuxLog" { grok { #disconnect TTY match => [ "message", "pam_unix\(login:session\): session closed for user %{WORD:auth_username}" ] add_field => { "action" => "logout" } add_field => { "connection" => "tty" } add_tag => "linux_auth" } } } filter { if [type] == "LinuxLog" { grok { #unknown user TTY match => [ "message", "FAILED LOGIN %{NUMBER:failed_tries} FROM %{USERNAME:tty} FOR \(%{WORD:auth_username}\), User not known to the underlying authentication module" ] add_field => { "action" => "failed tty login" } add_field => { "connection" => "tty" } add_tag => "linux_auth" } } } filter { if [type] == "LinuxLog" { grok { #unknown user SSH match => [ "message", "Failed password for invalid user %{WORD:auth_username} from %{IP:ipaddress} port %{NUMBER:port_number} ssh2" ] add_field => { "action" => "failed ssh login" } add_field => { "connection" => "ssh" } add_tag => "linux_auth" } } }