conorsch
commented
8 years ago Running smoothly, logstash log is clean from the timestamp errors that were previously caused by the missing Z in the date parsing.
Closed conorsch closed 8 years ago
conorsch
commented
8 years ago Running smoothly, logstash log is clean from the timestamp errors that were previously caused by the missing Z in the date parsing.
Most notably leverages
break_on_match => falsefor the SSH logins, to ensure that all possible matches are tried. Otherwise, the filter will bail out early and leave the_grokparsefailuretag assigned. Additionally filtering the syslog events to ensure that the date-parsing logic (#33) for SSH events only applies to events already tagged as "ssh".