...
This article focuses on situations where customers want customization for the remaining fields.
Base on the message that we select we need to create a regular expression to extract the date, host and element.
Apr 01 16:38:29 CNOC-01 b102ogt: [SYSTEM]<6> Local authentication failed(user: admin): Admin password error.
| Code Block |
|---|
"syslog_message" : {
"10" : {
"IF" : "^(\\w+\\s\\d+\\s\\d+:\\d+:\\d+)\\s(\\w+[-_]\\w+)",
"THEN" : [
"capture(date,host)"
]
},
"11" : {
"IF" : "Local authentication failed",
"THEN" : [
"set.event(Authentication failed)",
"set.priority(8)"
]
},
} |