auth.conf

filter {
  if [type] == "shell" {
    grok {
      patterns_dir => "/etc/logstash/patterns"
      match   => ["message", "%{SSH_PUB_LOGIN}"]
      add_tag => ["ssh_successful_login", "ssh_pub_login", "ssh_parse"]
    }
    grok {
      patterns_dir => "/etc/logstash/patterns"
      match   => ["message", "%{SSH_PASSWORD_LOGIN}"]
      add_tag => ["ssh_successful_login", "ssh_password_login", "ssh_parse"]
    }
    grok {
      patterns_dir => "/etc/logstash/patterns"
      match   => ["message", "%{SSH_FAILED_LOGIN}"]
      add_tag => ["ssh_failed_login", "ssh_parse"]
    }
    grok {
      patterns_dir => "/etc/logstash/patterns"
      match   => ["message", "%{SSH_DISCONNECT}"]
      add_tag => ["ssh_disconnect", "ssh_parse"]
    }
    grok {
      patterns_dir => "/etc/logstash/patterns"
      match   => ["message", "%{SSH_SNOOPY}"]
      add_tag => ["ssh_snoopy", "ssh_parse"]
    }

    if "ssh_parse" not in [tags] {
      grok {
        patterns_dir => "/etc/logstash/patterns"
        match   => ["message", "%{AUTH_LOG_LINE}"]
      }
    }

    mutate {
      remove_tag => ["ssh_parse", "_grokparsefailure"]
    }

    date {
      timezone => "Europe/Amsterdam"
      match => ["timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss", "ISO8601"]
    }
  }
}