{{ ansible_managed | comment }}

filter {
	if [program] == "sshd" and [facility] == "auth" {
    grok {
      patterns_dir => ["/etc/logstash/patterns"]
      patterns_files_glob => "*.grok"
      match => {
        "message" => "^Accepted %{WORD:sshd_auth_method} for %{USERNAME:sshd_auth_user} from %{IP:sshd_client_ip} port %{INT:sshd_client_port} %{WORD:sshd_proto_version}(: %{WORD:sshd_key_type} %{WORD:sshd_key_hash_type}:%{BASE64:sshd_key_hash})?$"
      }
      add_tag => ["sshd", "sshd_accepted_auth"]
      tag_on_failure => []
    }
    grok {
			match => {
        "message" => "^Received disconnect from %{IP:sshd_client_ip} port %{INT:sshd_client_port}:%{INT:sshd_disconnect_reason}: %{GREEDYDATA:sshd_disconnect_msg}$"
      }
      add_tag => ["sshd", "sshd_received_disconnect"]
      tag_on_failure => []
		}
    grok {
      match => {
        "message" => "^Disconnected from user %{USERNAME:sshd_auth_user} %{IP:sshd_client_ip} port %{INT:sshd_client_port}$"
      }
      add_tag => ["sshd", "sshd_disconnected"]
      tag_on_failure => []
    }
    grok {
      match => {
        "message" => "^Server listening on %{IP:sshd_listen_ip} port %{INT:sshd_listen_port}.$"
      }
      add_tag => ["sshd", "sshd_listening"]
      tag_on_failure => []
    }
    grok {
      match => {
        "message" => "^Received signal %{INT:sshd_signal}; %{GREEDYDATA:sshd_signal_action}.$"
      }
      add_tag => ["sshd", "sshd_received_signal"]
      tag_on_failure => []
    }
	}
}