I have ssh connections from multiple users. I want to log all connectsion except those from the user 'git'. How dow you create an exception to a filter ?
input {
file {
path => "/var/log/auth.log"
type => "syslog"
}
}
filter {
if [type] == "syslog"
#May 14 14:27:59 gitlab sshd[25048]: Accepted publickey for git from 10.0.6.220 port 52535 ssh2
grok {
match => [ "message", "%{SYSLOGTIMESTAMP} %{HOSTNAME} %{PROG}\[%{NUMBER:pid}\]: Accepted %{WORD:authtype} for %{USER} from %{IPV4} port %{NUMBER:port} %{WORD:protocol}" ]
add_tag => [ "ssh_connection"]
}
# Untag all the ssh connectsion from user git
grok {
match => [ "message", "%{SYSLOGTIMESTAMP} %{HOSTNAME} %{PROG}\[%{NUMBER:pid}\]: Accepted %{WORD:authtype} for git from %{IPV4} port %{NUMBER:port} %{WORD:protocol}" ]
remove_tag => [ "ssh_connection"]
}
}
output {
if "ssh_connection" in [tags] {
email {
to => "foo@bar.com"
from => "logstash@foobar.com"
subject => "Intruder Alert"
}
}
redis {
...
}
}