filter {
  if  [type] == "LinuxLog" {
    grok {
      #connect SSH
      match => [ "message", "pam_unix\(sshd:session\): session opened for user %{WORD:auth_username}" ]
      add_field => { "action" => "login" }
      add_field => { "connection" => "ssh" }

      add_tag => "linux_auth"
    }
  }
}

filter {
  if  [type] == "LinuxLog" {
    grok {
      #disconnect SSH
      match => [ "message", "pam_unix\(sshd:session\): session closed for user %{WORD:auth_username}" ]
      add_field => { "action" => "logout" }
      add_field => { "connection" => "ssh" }

      add_tag => "linux_auth"
    }
  }
}

filter {
  if  [type] == "LinuxLog" {
    grok {
      #connect TTY
      match => [ "message", "LOGIN ON %{USERNAME:tty} BY %{WORD:auth_username}" ]
      add_field => { "action" => "login" }
      add_field => { "connection" => "tty" }

      add_tag => "linux_auth"
    }
  }
}

filter {
  if  [type] == "LinuxLog" {
    grok {
      #disconnect TTY
      match => [ "message", "pam_unix\(login:session\): session closed for user %{WORD:auth_username}" ]
      add_field => { "action" => "logout" }
      add_field => { "connection" => "tty" }

      add_tag => "linux_auth"
    }
  }
}

filter {
  if  [type] == "LinuxLog" {
    grok {
      #unknown user TTY
      match => [ "message", "FAILED LOGIN %{NUMBER:failed_tries} FROM %{USERNAME:tty} FOR \(%{WORD:auth_username}\), User not known to the underlying authentication module" ]
      add_field => { "action" => "failed tty login" }
      add_field => { "connection" => "tty" }

      add_tag => "linux_auth"
    }
  }
}

filter {
  if  [type] == "LinuxLog" {
    grok {
      #unknown user SSH
      match => [ "message", "Failed password for invalid user %{WORD:auth_username} from %{IP:ipaddress} port %{NUMBER:port_number} ssh2" ]
      add_field => { "action" => "failed ssh login" }
      add_field => { "connection" => "ssh" }

      add_tag => "linux_auth"
    }
  }
}