hugespoon/gist:5495528

## gistfile1.txt
grok {
    type => "syslog"
    pattern => [ "%{SYSLOGBASE} Failed password for %{USERNAME:user} from %{IPORHOST:host} port %{POSINT:port} %{WORD:protocol}" ]
    add_tags => [ "ssh", "grokked", "auth_failure" ]
  }

ERROR

{:timestamp=>"2013-05-01T09:17:07.306000-0500", :message=>"Invalid setting for grok filter plugin:\n\n  filter {\n    grok {\n      # This setting must be a string\n      # Expected string, got [\"ssh\", \"grokked\", \"auth_failure\"]\n      add_tags => [\"ssh\", \"grokked\", \"auth_failure\"]\n      ...\n    }\n  }", :level=>:error}
	grok {
	type => "syslog"
	pattern => [ "%{SYSLOGBASE} Failed password for %{USERNAME:user} from %{IPORHOST:host} port %{POSINT:port} %{WORD:protocol}" ]
	add_tags => [ "ssh", "grokked", "auth_failure" ]
	}

	ERROR

	{:timestamp=>"2013-05-01T09:17:07.306000-0500", :message=>"Invalid setting for grok filter plugin:\n\n filter {\n grok {\n # This setting must be a string\n # Expected string, got [\"ssh\", \"grokked\", \"auth_failure\"]\n add_tags => [\"ssh\", \"grokked\", \"auth_failure\"]\n ...\n }\n }", :level=>:error}