A simple Logstash conffile with a custom grok filter

gistfile1.js

input {
  tcp {
    type => "linux-syslog"
    port => 3333
  }

  file {
    type => "linux-syslog"
    path => [ "/var/log/auth.log" ]
  }
}

filter {
  grok {
    type => "linux-syslog"
    pattern => "%{SYSLOGTIMESTAMP:timestamp} %{HOSTNAME:host_target} sshd\[%{BASE10NUM}\]: Failed password for (invalid user |)%{USERNAME:username} from %{IP:src_ip} port %{BASE10NUM:port} ssh2"
    add_tag => "ssh_brute_force_attack"
  }
}

output {
  stdout { }
  elasticsearch { embedded => true }
}

Thanks dude I used your example to create some more:

grok {
  type => "linux-syslog"
  pattern => "%{SYSLOGTIMESTAMP:timestamp} %{HOSTNAME:host_target} sshd\[%{BASE10NUM}\]: Failed password for invalid user %{USERNAME:username} from %{IP:src_ip} port %{BASE10NUM:port} ssh2"
  add_tag => "ssh_brute_force_attack"
}
grok {
  type => "linux-syslog"
  pattern => "%{SYSLOGTIMESTAMP:timestamp} %{HOSTNAME:host_target} sudo: pam_unix\(sudo:auth\): authentication failure; logname=%{USERNAME:logname} uid=%{BASE10NUM:uid} euid=%{BASE10NUM:euid} tty=%{TTY:tty} ruser=%{USERNAME:ruser} rhost=(?:%{HOSTNAME:remote_host}|\s*) user=%{USERNAME:user}"
  add_tag => "sudo_auth_failure"
}
grok {
  type => "linux-syslog"
  pattern => "%{SYSLOGTIMESTAMP:timestamp} %{HOSTNAME:host_target} sshd\[%{BASE10NUM}\]: Failed password for %{USERNAME:username} from %{IP:src_ip} port %{BASE10NUM:port} ssh2"
  add_tag => "ssh_failed_login"
}

grok {
  type => "linux-syslog"
  pattern => "%{SYSLOGTIMESTAMP:timestamp} %{HOSTNAME:host_target} sshd\[%{BASE10NUM}\]: Accepted password for %{USERNAME:username} from %{IP:src_ip} port %{BASE10NUM:port} ssh2"
  add_tag => "ssh_sucessful_login"
}