{{ ansible_managed | comment }}

filter {
	if [facility] == "authpriv" {
    grok {
      patterns_dir => ["/etc/logstash/patterns"]
      patterns_files_glob => "*.grok"
      match => {
        "message" => "^pam_unix%{PAM_PREFIX}: authentication failure; logname=(%{USERNAME:pam_logname})? uid=%{INT:pam_uid} euid=%{INT:pam_euid} tty=%{TTY:pam_tty} ruser=(%{USERNAME:pam_ruser})? rhost=(%{HOSTNAME:pam_rhost})? user=%{USERNAME:pam_user}$"
      }
      add_tag => ["pam_unix", "pam_unix_auth_fail"]
      tag_on_failure => []
    }
    grok {
      patterns_dir => ["/etc/logstash/patterns"]
      patterns_files_glob => "*.grok"
      match => {
        "message" => "^pam_unix%{PAM_PREFIX}: session opened for user (%{USERNAME:pam_user})?(\(uid=%{INT:pam_uid}\))? by (%{USERNAME:pam_by_user})?(\(uid=%{INT:pam_by_uid}\))?$"
      }
      add_tag => ["pam_unix", "pam_unix_session_opened"]
      tag_on_failure => []
    }
    grok {
      patterns_dir => ["/etc/logstash/patterns"]
      patterns_files_glob => "*.grok"
      match => {
        "message" => "^pam_unix%{PAM_PREFIX}: session closed for user %{USERNAME:pam_user}$"
      }
      add_tag => ["pam_unix", "pam_unix_session_closed"]
      tag_on_failure => []
    }
	}
}