The main summarizer we currently have is the GrokCounter, allowing to have a set of patterns (each with a name), which counts the occurences of each pattern.
Dovecot: Failed Login Attempts
==============================
5.196.31.23: 1
49.248.147.211: 1
52.6.24.186: 4
52.6.71.222: 3
52.6.130.221: 2
54.208.194.166: 1
Now, what I'd like to see is that we not just only have the number of occurences per pattern, but that we can also see what happened. In the above example, we could list the user names per IP.
Dovecot: Failed Login Attempts
==============================
5.196.31.23: webmaster
49.248.147.211: admin
52.6.24.186: joe, webmaster, admin, adm
52.6.71.222: adm, admin, joe
52.6.130.221: frank, joe
54.208.194.166: user
It's yet unclear to me how to specify the match to be displayed. The configuration for the GrokCounter is
- summarizer: count
config: {
'%{login_host}': 'auth\(%{PROG}\): %{PROG}\(%{USER},%{IPORHOST:login_host}\): unknown user'
}Guess we need a tuple or something, so that we can specify the pattern and the match to be displayed:
- summarizer: count
config: {
'%{login_host}': ['%{user}', 'auth\(%{PROG}\): %{PROG}\(%{USER:user},%{IPORHOST:login_host}\): unknown user']
}Unfortunately, tuples are bad to read. So, another map?
- summarizer: count
config: {
'%{login_host}': {
list: '%{user}',
for: 'auth\(%{PROG}\): %{PROG}\(%{USER:user},%{IPORHOST:login_host}\): unknown user'
}
}
The main summarizer we currently have is the GrokCounter, allowing to have a set of patterns (each with a name), which counts the occurences of each pattern.
Now, what I'd like to see is that we not just only have the number of occurences per pattern, but that we can also see what happened. In the above example, we could list the user names per IP.
It's yet unclear to me how to specify the match to be displayed. The configuration for the GrokCounter is
Guess we need a tuple or something, so that we can specify the pattern and the match to be displayed:
Unfortunately, tuples are bad to read. So, another map?