-
-
Save iboumedien/8774f8992dd7f9416aa2 to your computer and use it in GitHub Desktop.
LogStash proftpd xferlog grok
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| input { | |
| file { | |
| path => "/var/log/xferlog" | |
| type => "xferlog" | |
| add_field => { "program" => "proftpd" } | |
| } | |
| } | |
| filter { | |
| if [type] == "xferlog" { | |
| grok { | |
| match => [ "message", "(?<time>\w{3} \w{3} \d{2} \d{2}:\d{2}:\d{2} \d{4}) (?<xferTime>\d*) (?<remoteHost>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b) (?<fileSize>\d*) (?<fileName>\S*) (?<transferType>[a|b]) (?<specialActionFlag>\S{1}) (?<direction>\S{1}) (?<accessMode>\S{1}) (?<userName>\S*) (?<serviceName>\S*) (?<authenticationMethod>\S*) (?<authenticatedUserId>\S*) (?<completionStatus>\S*)" ] | |
| } | |
| date { | |
| match => [ "time", "EEE MMM dd HH:mm:ss YYYY" ] | |
| timezone => [ "Europe/London" ] # Change to your local timezone | |
| } | |
| geoip { | |
| source => [ "remoteHost" ] | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment